1*f0865ec9SKyle Evans /*
2*f0865ec9SKyle Evans * Copyright (C) 2017 - This file is part of libecc project
3*f0865ec9SKyle Evans *
4*f0865ec9SKyle Evans * Authors:
5*f0865ec9SKyle Evans * Ryad BENADJILA <ryadbenadjila@gmail.com>
6*f0865ec9SKyle Evans * Arnaud EBALARD <arnaud.ebalard@ssi.gouv.fr>
7*f0865ec9SKyle Evans * Jean-Pierre FLORI <jean-pierre.flori@ssi.gouv.fr>
8*f0865ec9SKyle Evans *
9*f0865ec9SKyle Evans * Contributors:
10*f0865ec9SKyle Evans * Nicolas VIVET <nicolas.vivet@ssi.gouv.fr>
11*f0865ec9SKyle Evans * Karim KHALFALLAH <karim.khalfallah@ssi.gouv.fr>
12*f0865ec9SKyle Evans *
13*f0865ec9SKyle Evans * This software is licensed under a dual BSD and GPL v2 license.
14*f0865ec9SKyle Evans * See LICENSE file at the root folder of the project.
15*f0865ec9SKyle Evans */
16*f0865ec9SKyle Evans #include <libecc/lib_ecc_config.h>
17*f0865ec9SKyle Evans #if defined(WITH_SIG_ECDSA) || defined(WITH_SIG_DECDSA)
18*f0865ec9SKyle Evans
19*f0865ec9SKyle Evans #include <libecc/nn/nn_rand.h>
20*f0865ec9SKyle Evans #include <libecc/nn/nn_mul_public.h>
21*f0865ec9SKyle Evans #include <libecc/nn/nn_logical.h>
22*f0865ec9SKyle Evans
23*f0865ec9SKyle Evans #include <libecc/sig/sig_algs_internal.h>
24*f0865ec9SKyle Evans #include <libecc/sig/ec_key.h>
25*f0865ec9SKyle Evans #include <libecc/utils/utils.h>
26*f0865ec9SKyle Evans #ifdef VERBOSE_INNER_VALUES
27*f0865ec9SKyle Evans #define EC_SIG_ALG "ECDSA"
28*f0865ec9SKyle Evans #endif
29*f0865ec9SKyle Evans #include <libecc/utils/dbg_sig.h>
30*f0865ec9SKyle Evans
31*f0865ec9SKyle Evans
32*f0865ec9SKyle Evans #if defined(WITH_SIG_DECDSA)
33*f0865ec9SKyle Evans #include <libecc/hash/hmac.h>
34*f0865ec9SKyle Evans
35*f0865ec9SKyle Evans /*
36*f0865ec9SKyle Evans * Deterministic nonce generation function for deterministic ECDSA, as
37*f0865ec9SKyle Evans * described in RFC6979.
38*f0865ec9SKyle Evans * NOTE: Deterministic nonce generation for ECDSA is useful against attackers
39*f0865ec9SKyle Evans * in contexts where only poor RNG/entropy are available, or when nonce bits
40*f0865ec9SKyle Evans * leaking can be possible through side-channel attacks.
41*f0865ec9SKyle Evans * However, in contexts where fault attacks are easy to mount, deterministic
42*f0865ec9SKyle Evans * ECDSA can bring more security risks than regular ECDSA.
43*f0865ec9SKyle Evans *
44*f0865ec9SKyle Evans * Depending on the context where you use the library, choose carefully if
45*f0865ec9SKyle Evans * you want to use the deterministic version or not.
46*f0865ec9SKyle Evans *
47*f0865ec9SKyle Evans */
__ecdsa_rfc6979_nonce(nn_t k,nn_src_t q,bitcnt_t q_bit_len,nn_src_t x,const u8 * hash,u8 hsize,hash_alg_type hash_type)48*f0865ec9SKyle Evans ATTRIBUTE_WARN_UNUSED_RET static int __ecdsa_rfc6979_nonce(nn_t k, nn_src_t q, bitcnt_t q_bit_len,
49*f0865ec9SKyle Evans nn_src_t x, const u8 *hash, u8 hsize,
50*f0865ec9SKyle Evans hash_alg_type hash_type)
51*f0865ec9SKyle Evans {
52*f0865ec9SKyle Evans int ret, cmp;
53*f0865ec9SKyle Evans u8 V[MAX_DIGEST_SIZE];
54*f0865ec9SKyle Evans u8 K[MAX_DIGEST_SIZE];
55*f0865ec9SKyle Evans u8 T[BYTECEIL(CURVES_MAX_Q_BIT_LEN) + MAX_DIGEST_SIZE];
56*f0865ec9SKyle Evans u8 priv_key_buff[EC_PRIV_KEY_MAX_SIZE];
57*f0865ec9SKyle Evans hmac_context hmac_ctx;
58*f0865ec9SKyle Evans bitcnt_t t_bit_len;
59*f0865ec9SKyle Evans u8 q_len;
60*f0865ec9SKyle Evans u8 hmac_size;
61*f0865ec9SKyle Evans u8 tmp;
62*f0865ec9SKyle Evans
63*f0865ec9SKyle Evans /* Sanity checks */
64*f0865ec9SKyle Evans MUST_HAVE((k != NULL), ret, err);
65*f0865ec9SKyle Evans MUST_HAVE((hash != NULL), ret, err);
66*f0865ec9SKyle Evans ret = nn_check_initialized(q); EG(ret, err);
67*f0865ec9SKyle Evans ret = nn_check_initialized(x); EG(ret, err);
68*f0865ec9SKyle Evans
69*f0865ec9SKyle Evans q_len = (u8)BYTECEIL(q_bit_len);
70*f0865ec9SKyle Evans
71*f0865ec9SKyle Evans MUST_HAVE((q_len <= EC_PRIV_KEY_MAX_SIZE) && (hsize <= MAX_BLOCK_SIZE), ret, err);
72*f0865ec9SKyle Evans
73*f0865ec9SKyle Evans /* Steps b. and c.: set V = 0x01 ... 0x01 and K = 0x00 ... 0x00 */
74*f0865ec9SKyle Evans ret = local_memset(V, 0x01, hsize); EG(ret, err);
75*f0865ec9SKyle Evans ret = local_memset(K, 0x00, hsize); EG(ret, err);
76*f0865ec9SKyle Evans /* Export our private key in a buffer */
77*f0865ec9SKyle Evans ret = nn_export_to_buf(priv_key_buff, q_len, x); EG(ret, err);
78*f0865ec9SKyle Evans /* Step d.: set K = HMAC_K(V || 0x00 || int2octets(x) || bits2octets(h1))
79*f0865ec9SKyle Evans * where x is the private key and h1 the message hash.
80*f0865ec9SKyle Evans */
81*f0865ec9SKyle Evans ret = hmac_init(&hmac_ctx, K, hsize, hash_type); EG(ret, err);
82*f0865ec9SKyle Evans ret = hmac_update(&hmac_ctx, V, hsize); EG(ret, err);
83*f0865ec9SKyle Evans
84*f0865ec9SKyle Evans tmp = 0x00;
85*f0865ec9SKyle Evans ret = hmac_update(&hmac_ctx, &tmp, 1); EG(ret, err);
86*f0865ec9SKyle Evans ret = hmac_update(&hmac_ctx, priv_key_buff, q_len); EG(ret, err);
87*f0865ec9SKyle Evans
88*f0865ec9SKyle Evans /* We compute bits2octets(hash) here */
89*f0865ec9SKyle Evans ret = nn_init_from_buf(k, hash, hsize); EG(ret, err);
90*f0865ec9SKyle Evans if((8 * hsize) > q_bit_len){
91*f0865ec9SKyle Evans ret = nn_rshift(k, k, (bitcnt_t)((8 * hsize) - q_bit_len)); EG(ret, err);
92*f0865ec9SKyle Evans }
93*f0865ec9SKyle Evans ret = nn_mod(k, k, q); EG(ret, err);
94*f0865ec9SKyle Evans ret = nn_export_to_buf(T, q_len, k); EG(ret, err);
95*f0865ec9SKyle Evans ret = hmac_update(&hmac_ctx, T, q_len); EG(ret, err);
96*f0865ec9SKyle Evans hmac_size = sizeof(K);
97*f0865ec9SKyle Evans ret = hmac_finalize(&hmac_ctx, K, &hmac_size); EG(ret, err);
98*f0865ec9SKyle Evans
99*f0865ec9SKyle Evans /* Step e.: set V = HMAC_K(V) */
100*f0865ec9SKyle Evans hmac_size = sizeof(V);
101*f0865ec9SKyle Evans ret = hmac(K, hsize, hash_type, V, hsize, V, &hmac_size); EG(ret, err);
102*f0865ec9SKyle Evans /* Step f.: K = HMAC_K(V || 0x01 || int2octets(x) || bits2octets(h1)) */
103*f0865ec9SKyle Evans ret = hmac_init(&hmac_ctx, K, hsize, hash_type); EG(ret, err);
104*f0865ec9SKyle Evans ret = hmac_update(&hmac_ctx, V, hsize); EG(ret, err);
105*f0865ec9SKyle Evans
106*f0865ec9SKyle Evans tmp = 0x01;
107*f0865ec9SKyle Evans ret = hmac_update(&hmac_ctx, &tmp, 1); EG(ret, err);
108*f0865ec9SKyle Evans ret = hmac_update(&hmac_ctx, priv_key_buff, q_len); EG(ret, err);
109*f0865ec9SKyle Evans
110*f0865ec9SKyle Evans /* We compute bits2octets(hash) here */
111*f0865ec9SKyle Evans ret = hmac_update(&hmac_ctx, T, q_len); EG(ret, err);
112*f0865ec9SKyle Evans hmac_size = sizeof(K);
113*f0865ec9SKyle Evans ret = hmac_finalize(&hmac_ctx, K, &hmac_size); EG(ret, err);
114*f0865ec9SKyle Evans /* Step g.: set V = HMAC_K(V)*/
115*f0865ec9SKyle Evans hmac_size = sizeof(V);
116*f0865ec9SKyle Evans ret = hmac(K, hsize, hash_type, V, hsize, V, &hmac_size); EG(ret, err);
117*f0865ec9SKyle Evans
118*f0865ec9SKyle Evans /* Step h. now apply the generation algorithm until we get
119*f0865ec9SKyle Evans * a proper nonce value:
120*f0865ec9SKyle Evans * 1. Set T to the empty sequence. The length of T (in bits) is
121*f0865ec9SKyle Evans * denoted tlen; thus, at that point, tlen = 0.
122*f0865ec9SKyle Evans * 2. While tlen < qlen, do the following:
123*f0865ec9SKyle Evans * V = HMAC_K(V)
124*f0865ec9SKyle Evans * T = T || V
125*f0865ec9SKyle Evans * 3. Compute:
126*f0865ec9SKyle Evans * k = bits2int(T)
127*f0865ec9SKyle Evans * If that value of k is within the [1,q-1] range, and is
128*f0865ec9SKyle Evans * suitable for DSA or ECDSA (i.e., it results in an r value
129*f0865ec9SKyle Evans * that is not 0; see Section 3.4), then the generation of k is
130*f0865ec9SKyle Evans * finished. The obtained value of k is used in DSA or ECDSA.
131*f0865ec9SKyle Evans * Otherwise, compute:
132*f0865ec9SKyle Evans * K = HMAC_K(V || 0x00)
133*f0865ec9SKyle Evans * V = HMAC_K(V)
134*f0865ec9SKyle Evans * and loop (try to generate a new T, and so on).
135*f0865ec9SKyle Evans */
136*f0865ec9SKyle Evans restart:
137*f0865ec9SKyle Evans t_bit_len = 0;
138*f0865ec9SKyle Evans while(t_bit_len < q_bit_len){
139*f0865ec9SKyle Evans /* V = HMAC_K(V) */
140*f0865ec9SKyle Evans hmac_size = sizeof(V);
141*f0865ec9SKyle Evans ret = hmac(K, hsize, hash_type, V, hsize, V, &hmac_size); EG(ret, err);
142*f0865ec9SKyle Evans ret = local_memcpy(&T[BYTECEIL(t_bit_len)], V, hmac_size); EG(ret, err);
143*f0865ec9SKyle Evans t_bit_len = (bitcnt_t)(t_bit_len + (8 * hmac_size));
144*f0865ec9SKyle Evans }
145*f0865ec9SKyle Evans ret = nn_init_from_buf(k, T, q_len); EG(ret, err);
146*f0865ec9SKyle Evans if((8 * q_len) > q_bit_len){
147*f0865ec9SKyle Evans ret = nn_rshift(k, k, (bitcnt_t)((8 * q_len) - q_bit_len)); EG(ret, err);
148*f0865ec9SKyle Evans }
149*f0865ec9SKyle Evans ret = nn_cmp(k, q, &cmp); EG(ret, err);
150*f0865ec9SKyle Evans if(cmp >= 0){
151*f0865ec9SKyle Evans /* K = HMAC_K(V || 0x00) */
152*f0865ec9SKyle Evans ret = hmac_init(&hmac_ctx, K, hsize, hash_type); EG(ret, err);
153*f0865ec9SKyle Evans ret = hmac_update(&hmac_ctx, V, hsize); EG(ret, err);
154*f0865ec9SKyle Evans
155*f0865ec9SKyle Evans tmp = 0x00;
156*f0865ec9SKyle Evans ret = hmac_update(&hmac_ctx, &tmp, 1); EG(ret, err);
157*f0865ec9SKyle Evans
158*f0865ec9SKyle Evans hmac_size = sizeof(K);
159*f0865ec9SKyle Evans ret = hmac_finalize(&hmac_ctx, K, &hmac_size); EG(ret, err);
160*f0865ec9SKyle Evans /* V = HMAC_K(V) */
161*f0865ec9SKyle Evans hmac_size = sizeof(V);
162*f0865ec9SKyle Evans ret = hmac(K, hsize, hash_type, V, hsize, V, &hmac_size); EG(ret, err);
163*f0865ec9SKyle Evans
164*f0865ec9SKyle Evans goto restart;
165*f0865ec9SKyle Evans }
166*f0865ec9SKyle Evans
167*f0865ec9SKyle Evans err:
168*f0865ec9SKyle Evans return ret;
169*f0865ec9SKyle Evans }
170*f0865ec9SKyle Evans #endif
171*f0865ec9SKyle Evans
__ecdsa_init_pub_key(ec_pub_key * out_pub,const ec_priv_key * in_priv,ec_alg_type key_type)172*f0865ec9SKyle Evans int __ecdsa_init_pub_key(ec_pub_key *out_pub, const ec_priv_key *in_priv,
173*f0865ec9SKyle Evans ec_alg_type key_type)
174*f0865ec9SKyle Evans {
175*f0865ec9SKyle Evans prj_pt_src_t G;
176*f0865ec9SKyle Evans int ret, cmp;
177*f0865ec9SKyle Evans nn_src_t q;
178*f0865ec9SKyle Evans
179*f0865ec9SKyle Evans MUST_HAVE((out_pub != NULL), ret, err);
180*f0865ec9SKyle Evans
181*f0865ec9SKyle Evans /* Zero init public key to be generated */
182*f0865ec9SKyle Evans ret = local_memset(out_pub, 0, sizeof(ec_pub_key)); EG(ret, err);
183*f0865ec9SKyle Evans
184*f0865ec9SKyle Evans ret = priv_key_check_initialized_and_type(in_priv, key_type); EG(ret, err);
185*f0865ec9SKyle Evans q = &(in_priv->params->ec_gen_order);
186*f0865ec9SKyle Evans
187*f0865ec9SKyle Evans /* Sanity check on key compliance */
188*f0865ec9SKyle Evans MUST_HAVE((!nn_cmp(&(in_priv->x), q, &cmp)) && (cmp < 0), ret, err);
189*f0865ec9SKyle Evans
190*f0865ec9SKyle Evans /* Y = xG */
191*f0865ec9SKyle Evans G = &(in_priv->params->ec_gen);
192*f0865ec9SKyle Evans /* Use blinding when computing point scalar multiplication */
193*f0865ec9SKyle Evans ret = prj_pt_mul_blind(&(out_pub->y), &(in_priv->x), G); EG(ret, err);
194*f0865ec9SKyle Evans
195*f0865ec9SKyle Evans out_pub->key_type = key_type;
196*f0865ec9SKyle Evans out_pub->params = in_priv->params;
197*f0865ec9SKyle Evans out_pub->magic = PUB_KEY_MAGIC;
198*f0865ec9SKyle Evans
199*f0865ec9SKyle Evans err:
200*f0865ec9SKyle Evans return ret;
201*f0865ec9SKyle Evans }
202*f0865ec9SKyle Evans
__ecdsa_siglen(u16 p_bit_len,u16 q_bit_len,u8 hsize,u8 blocksize,u8 * siglen)203*f0865ec9SKyle Evans int __ecdsa_siglen(u16 p_bit_len, u16 q_bit_len, u8 hsize, u8 blocksize, u8 *siglen)
204*f0865ec9SKyle Evans {
205*f0865ec9SKyle Evans int ret;
206*f0865ec9SKyle Evans
207*f0865ec9SKyle Evans MUST_HAVE(siglen != NULL, ret, err);
208*f0865ec9SKyle Evans MUST_HAVE((p_bit_len <= CURVES_MAX_P_BIT_LEN) &&
209*f0865ec9SKyle Evans (q_bit_len <= CURVES_MAX_Q_BIT_LEN) &&
210*f0865ec9SKyle Evans (hsize <= MAX_DIGEST_SIZE) && (blocksize <= MAX_BLOCK_SIZE), ret, err);
211*f0865ec9SKyle Evans (*siglen) = (u8)ECDSA_SIGLEN(q_bit_len);
212*f0865ec9SKyle Evans ret = 0;
213*f0865ec9SKyle Evans
214*f0865ec9SKyle Evans err:
215*f0865ec9SKyle Evans return ret;
216*f0865ec9SKyle Evans }
217*f0865ec9SKyle Evans
218*f0865ec9SKyle Evans /*
219*f0865ec9SKyle Evans * Generic *internal* ECDSA signature functions (init, update and finalize).
220*f0865ec9SKyle Evans * Their purpose is to allow passing a specific hash function (along with
221*f0865ec9SKyle Evans * its output size) and the random ephemeral key k, so that compliance
222*f0865ec9SKyle Evans * tests against test vectors can be made without ugly hack in the code
223*f0865ec9SKyle Evans * itself.
224*f0865ec9SKyle Evans *
225*f0865ec9SKyle Evans * Global EC-DSA signature process is as follows (I,U,F provides
226*f0865ec9SKyle Evans * information in which function(s) (init(), update() or finalize())
227*f0865ec9SKyle Evans * a specific step is performed):
228*f0865ec9SKyle Evans *
229*f0865ec9SKyle Evans *| IUF - ECDSA signature
230*f0865ec9SKyle Evans *|
231*f0865ec9SKyle Evans *| UF 1. Compute h = H(m)
232*f0865ec9SKyle Evans *| F 2. If |h| > bitlen(q), set h to bitlen(q)
233*f0865ec9SKyle Evans *| leftmost (most significant) bits of h
234*f0865ec9SKyle Evans *| F 3. e = OS2I(h) mod q
235*f0865ec9SKyle Evans *| F 4. Get a random value k in ]0,q[
236*f0865ec9SKyle Evans *| F 5. Compute W = (W_x,W_y) = kG
237*f0865ec9SKyle Evans *| F 6. Compute r = W_x mod q
238*f0865ec9SKyle Evans *| F 7. If r is 0, restart the process at step 4.
239*f0865ec9SKyle Evans *| F 8. If e == rx, restart the process at step 4.
240*f0865ec9SKyle Evans *| F 9. Compute s = k^-1 * (xr + e) mod q
241*f0865ec9SKyle Evans *| F 10. If s is 0, restart the process at step 4.
242*f0865ec9SKyle Evans *| F 11. Return (r,s)
243*f0865ec9SKyle Evans *
244*f0865ec9SKyle Evans * Implementation notes:
245*f0865ec9SKyle Evans *
246*f0865ec9SKyle Evans * a) Usually (this is for instance the case in ISO 14888-3 and X9.62), the
247*f0865ec9SKyle Evans * process starts with steps 4 to 7 and is followed by steps 1 to 3.
248*f0865ec9SKyle Evans * The order is modified here w/o impact on the result and the security
249*f0865ec9SKyle Evans * in order to allow the algorithm to be compatible with an
250*f0865ec9SKyle Evans * init/update/finish API. More explicitly, the generation of k, which
251*f0865ec9SKyle Evans * may later result in a (unlikely) restart of the whole process is
252*f0865ec9SKyle Evans * postponed until the hash of the message has been computed.
253*f0865ec9SKyle Evans * b) sig is built as the concatenation of r and s. Both r and s are
254*f0865ec9SKyle Evans * encoded on ceil(bitlen(q)/8) bytes.
255*f0865ec9SKyle Evans * c) in EC-DSA, the public part of the key is not needed per se during the
256*f0865ec9SKyle Evans * signature but - as it is needed in other signature algs implemented
257*f0865ec9SKyle Evans * in the library - the whole key pair is passed instead of just the
258*f0865ec9SKyle Evans * private key.
259*f0865ec9SKyle Evans */
260*f0865ec9SKyle Evans
261*f0865ec9SKyle Evans #define ECDSA_SIGN_MAGIC ((word_t)(0x80299a2bf630945bULL))
262*f0865ec9SKyle Evans #define ECDSA_SIGN_CHECK_INITIALIZED(A, ret, err) \
263*f0865ec9SKyle Evans MUST_HAVE((((void *)(A)) != NULL) && ((A)->magic == ECDSA_SIGN_MAGIC), ret, err)
264*f0865ec9SKyle Evans
__ecdsa_sign_init(struct ec_sign_context * ctx,ec_alg_type key_type)265*f0865ec9SKyle Evans int __ecdsa_sign_init(struct ec_sign_context *ctx, ec_alg_type key_type)
266*f0865ec9SKyle Evans {
267*f0865ec9SKyle Evans int ret;
268*f0865ec9SKyle Evans
269*f0865ec9SKyle Evans /* First, verify context has been initialized */
270*f0865ec9SKyle Evans ret = sig_sign_check_initialized(ctx); EG(ret, err);
271*f0865ec9SKyle Evans
272*f0865ec9SKyle Evans /* Additional sanity checks on input params from context */
273*f0865ec9SKyle Evans ret = key_pair_check_initialized_and_type(ctx->key_pair, key_type); EG(ret, err);
274*f0865ec9SKyle Evans
275*f0865ec9SKyle Evans MUST_HAVE((ctx->h != NULL) && (ctx->h->digest_size <= MAX_DIGEST_SIZE) &&
276*f0865ec9SKyle Evans (ctx->h->block_size <= MAX_BLOCK_SIZE), ret, err);
277*f0865ec9SKyle Evans
278*f0865ec9SKyle Evans /*
279*f0865ec9SKyle Evans * Initialize hash context stored in our private part of context
280*f0865ec9SKyle Evans * and record data init has been done
281*f0865ec9SKyle Evans */
282*f0865ec9SKyle Evans /* Since we call a callback, sanity check our mapping */
283*f0865ec9SKyle Evans ret = hash_mapping_callbacks_sanity_check(ctx->h); EG(ret, err);
284*f0865ec9SKyle Evans ret = ctx->h->hfunc_init(&(ctx->sign_data.ecdsa.h_ctx)); EG(ret, err);
285*f0865ec9SKyle Evans
286*f0865ec9SKyle Evans ctx->sign_data.ecdsa.magic = ECDSA_SIGN_MAGIC;
287*f0865ec9SKyle Evans
288*f0865ec9SKyle Evans err:
289*f0865ec9SKyle Evans return ret;
290*f0865ec9SKyle Evans }
291*f0865ec9SKyle Evans
__ecdsa_sign_update(struct ec_sign_context * ctx,const u8 * chunk,u32 chunklen,ec_alg_type key_type)292*f0865ec9SKyle Evans int __ecdsa_sign_update(struct ec_sign_context *ctx,
293*f0865ec9SKyle Evans const u8 *chunk, u32 chunklen, ec_alg_type key_type)
294*f0865ec9SKyle Evans {
295*f0865ec9SKyle Evans int ret;
296*f0865ec9SKyle Evans
297*f0865ec9SKyle Evans /*
298*f0865ec9SKyle Evans * First, verify context has been initialized and private
299*f0865ec9SKyle Evans * part too. This guarantees the context is an ECDSA
300*f0865ec9SKyle Evans * signature one and we do not update() or finalize()
301*f0865ec9SKyle Evans * before init().
302*f0865ec9SKyle Evans */
303*f0865ec9SKyle Evans ret = sig_sign_check_initialized(ctx); EG(ret, err);
304*f0865ec9SKyle Evans ECDSA_SIGN_CHECK_INITIALIZED(&(ctx->sign_data.ecdsa), ret, err);
305*f0865ec9SKyle Evans
306*f0865ec9SKyle Evans /* Additional sanity checks on input params from context */
307*f0865ec9SKyle Evans ret = key_pair_check_initialized_and_type(ctx->key_pair, key_type); EG(ret, err);
308*f0865ec9SKyle Evans
309*f0865ec9SKyle Evans /* 1. Compute h = H(m) */
310*f0865ec9SKyle Evans /* Since we call a callback, sanity check our mapping */
311*f0865ec9SKyle Evans ret = hash_mapping_callbacks_sanity_check(ctx->h); EG(ret, err);
312*f0865ec9SKyle Evans ret = ctx->h->hfunc_update(&(ctx->sign_data.ecdsa.h_ctx), chunk, chunklen);
313*f0865ec9SKyle Evans
314*f0865ec9SKyle Evans err:
315*f0865ec9SKyle Evans return ret;
316*f0865ec9SKyle Evans }
317*f0865ec9SKyle Evans
__ecdsa_sign_finalize(struct ec_sign_context * ctx,u8 * sig,u8 siglen,ec_alg_type key_type)318*f0865ec9SKyle Evans int __ecdsa_sign_finalize(struct ec_sign_context *ctx, u8 *sig, u8 siglen,
319*f0865ec9SKyle Evans ec_alg_type key_type)
320*f0865ec9SKyle Evans {
321*f0865ec9SKyle Evans int ret, iszero, cmp;
322*f0865ec9SKyle Evans const ec_priv_key *priv_key;
323*f0865ec9SKyle Evans prj_pt_src_t G;
324*f0865ec9SKyle Evans u8 hash[MAX_DIGEST_SIZE];
325*f0865ec9SKyle Evans bitcnt_t rshift, q_bit_len;
326*f0865ec9SKyle Evans prj_pt kG;
327*f0865ec9SKyle Evans nn_src_t q, x;
328*f0865ec9SKyle Evans u8 hsize, q_len;
329*f0865ec9SKyle Evans nn k, r, e, tmp, s, kinv;
330*f0865ec9SKyle Evans #ifdef USE_SIG_BLINDING
331*f0865ec9SKyle Evans /* b is the blinding mask */
332*f0865ec9SKyle Evans nn b;
333*f0865ec9SKyle Evans b.magic = WORD(0);
334*f0865ec9SKyle Evans #endif
335*f0865ec9SKyle Evans
336*f0865ec9SKyle Evans k.magic = r.magic = e.magic = WORD(0);
337*f0865ec9SKyle Evans tmp.magic = s.magic = kinv.magic = WORD(0);
338*f0865ec9SKyle Evans kG.magic = WORD(0);
339*f0865ec9SKyle Evans
340*f0865ec9SKyle Evans /*
341*f0865ec9SKyle Evans * First, verify context has been initialized and private
342*f0865ec9SKyle Evans * part too. This guarantees the context is an ECDSA
343*f0865ec9SKyle Evans * signature one and we do not finalize() before init().
344*f0865ec9SKyle Evans */
345*f0865ec9SKyle Evans ret = sig_sign_check_initialized(ctx); EG(ret, err);
346*f0865ec9SKyle Evans ECDSA_SIGN_CHECK_INITIALIZED(&(ctx->sign_data.ecdsa), ret, err);
347*f0865ec9SKyle Evans MUST_HAVE((sig != NULL), ret, err);
348*f0865ec9SKyle Evans
349*f0865ec9SKyle Evans /* Additional sanity checks on input params from context */
350*f0865ec9SKyle Evans ret = key_pair_check_initialized_and_type(ctx->key_pair, key_type); EG(ret, err);
351*f0865ec9SKyle Evans
352*f0865ec9SKyle Evans /* Zero init out point */
353*f0865ec9SKyle Evans ret = local_memset(&kG, 0, sizeof(prj_pt)); EG(ret, err);
354*f0865ec9SKyle Evans
355*f0865ec9SKyle Evans /* Make things more readable */
356*f0865ec9SKyle Evans priv_key = &(ctx->key_pair->priv_key);
357*f0865ec9SKyle Evans q = &(priv_key->params->ec_gen_order);
358*f0865ec9SKyle Evans q_bit_len = priv_key->params->ec_gen_order_bitlen;
359*f0865ec9SKyle Evans G = &(priv_key->params->ec_gen);
360*f0865ec9SKyle Evans q_len = (u8)BYTECEIL(q_bit_len);
361*f0865ec9SKyle Evans x = &(priv_key->x);
362*f0865ec9SKyle Evans hsize = ctx->h->digest_size;
363*f0865ec9SKyle Evans
364*f0865ec9SKyle Evans MUST_HAVE((priv_key->key_type == key_type), ret, err);
365*f0865ec9SKyle Evans
366*f0865ec9SKyle Evans /* Sanity check */
367*f0865ec9SKyle Evans ret = nn_cmp(x, q, &cmp); EG(ret, err);
368*f0865ec9SKyle Evans /* This should not happen and means that our
369*f0865ec9SKyle Evans * private key is not compliant!
370*f0865ec9SKyle Evans */
371*f0865ec9SKyle Evans MUST_HAVE((cmp < 0), ret, err);
372*f0865ec9SKyle Evans
373*f0865ec9SKyle Evans dbg_nn_print("p", &(priv_key->params->ec_fp.p));
374*f0865ec9SKyle Evans dbg_nn_print("q", &(priv_key->params->ec_gen_order));
375*f0865ec9SKyle Evans dbg_priv_key_print("x", priv_key);
376*f0865ec9SKyle Evans dbg_ec_point_print("G", &(priv_key->params->ec_gen));
377*f0865ec9SKyle Evans dbg_pub_key_print("Y", &(ctx->key_pair->pub_key));
378*f0865ec9SKyle Evans
379*f0865ec9SKyle Evans /* Check given signature buffer length has the expected size */
380*f0865ec9SKyle Evans MUST_HAVE((siglen == ECDSA_SIGLEN(q_bit_len)), ret, err);
381*f0865ec9SKyle Evans
382*f0865ec9SKyle Evans /* 1. Compute h = H(m) */
383*f0865ec9SKyle Evans ret = local_memset(hash, 0, hsize); EG(ret, err);
384*f0865ec9SKyle Evans /* Since we call a callback, sanity check our mapping */
385*f0865ec9SKyle Evans ret = hash_mapping_callbacks_sanity_check(ctx->h); EG(ret, err);
386*f0865ec9SKyle Evans ret = ctx->h->hfunc_finalize(&(ctx->sign_data.ecdsa.h_ctx), hash); EG(ret, err);
387*f0865ec9SKyle Evans dbg_buf_print("h", hash, hsize);
388*f0865ec9SKyle Evans
389*f0865ec9SKyle Evans /*
390*f0865ec9SKyle Evans * 2. If |h| > bitlen(q), set h to bitlen(q)
391*f0865ec9SKyle Evans * leftmost bits of h.
392*f0865ec9SKyle Evans *
393*f0865ec9SKyle Evans * Note that it's easier to check if the truncation has
394*f0865ec9SKyle Evans * to be done here but only implement it using a logical
395*f0865ec9SKyle Evans * shift at the beginning of step 3. below once the hash
396*f0865ec9SKyle Evans * has been converted to an integer.
397*f0865ec9SKyle Evans */
398*f0865ec9SKyle Evans rshift = 0;
399*f0865ec9SKyle Evans if ((hsize * 8) > q_bit_len) {
400*f0865ec9SKyle Evans rshift = (bitcnt_t)((hsize * 8) - q_bit_len);
401*f0865ec9SKyle Evans }
402*f0865ec9SKyle Evans
403*f0865ec9SKyle Evans /*
404*f0865ec9SKyle Evans * 3. Compute e = OS2I(h) mod q, i.e. by converting h to an
405*f0865ec9SKyle Evans * integer and reducing it mod q
406*f0865ec9SKyle Evans */
407*f0865ec9SKyle Evans ret = nn_init_from_buf(&e, hash, hsize); EG(ret, err);
408*f0865ec9SKyle Evans dbg_nn_print("h initial import as nn", &e);
409*f0865ec9SKyle Evans if (rshift) {
410*f0865ec9SKyle Evans ret = nn_rshift_fixedlen(&e, &e, rshift); EG(ret, err);
411*f0865ec9SKyle Evans }
412*f0865ec9SKyle Evans dbg_nn_print("h final import as nn", &e);
413*f0865ec9SKyle Evans ret = nn_mod(&e, &e, q); EG(ret, err);
414*f0865ec9SKyle Evans dbg_nn_print("e", &e);
415*f0865ec9SKyle Evans
416*f0865ec9SKyle Evans restart:
417*f0865ec9SKyle Evans /* 4. get a random value k in ]0,q[ */
418*f0865ec9SKyle Evans #ifdef NO_KNOWN_VECTORS
419*f0865ec9SKyle Evans /* NOTE: when we do not need self tests for known vectors,
420*f0865ec9SKyle Evans * we can be strict about random function handler!
421*f0865ec9SKyle Evans * This allows us to avoid the corruption of such a pointer.
422*f0865ec9SKyle Evans */
423*f0865ec9SKyle Evans /* Sanity check on the handler before calling it */
424*f0865ec9SKyle Evans if(ctx->rand != nn_get_random_mod){
425*f0865ec9SKyle Evans #ifdef WITH_SIG_DECDSA
426*f0865ec9SKyle Evans /* In deterministic ECDSA, nevermind! */
427*f0865ec9SKyle Evans if(key_type != DECDSA)
428*f0865ec9SKyle Evans #endif
429*f0865ec9SKyle Evans {
430*f0865ec9SKyle Evans ret = -1;
431*f0865ec9SKyle Evans goto err;
432*f0865ec9SKyle Evans }
433*f0865ec9SKyle Evans }
434*f0865ec9SKyle Evans #endif
435*f0865ec9SKyle Evans if(ctx->rand != NULL){
436*f0865ec9SKyle Evans /* Non-deterministic generation, or deterministic with
437*f0865ec9SKyle Evans * test vectors.
438*f0865ec9SKyle Evans */
439*f0865ec9SKyle Evans ret = ctx->rand(&k, q);
440*f0865ec9SKyle Evans }
441*f0865ec9SKyle Evans else
442*f0865ec9SKyle Evans #if defined(WITH_SIG_DECDSA)
443*f0865ec9SKyle Evans {
444*f0865ec9SKyle Evans /* Only applies for DETERMINISTIC ECDSA */
445*f0865ec9SKyle Evans if(key_type != DECDSA){
446*f0865ec9SKyle Evans ret = -1;
447*f0865ec9SKyle Evans goto err;
448*f0865ec9SKyle Evans }
449*f0865ec9SKyle Evans /* Deterministically generate k as RFC6979 mandates */
450*f0865ec9SKyle Evans ret = __ecdsa_rfc6979_nonce(&k, q, q_bit_len, &(priv_key->x),
451*f0865ec9SKyle Evans hash, hsize, ctx->h->type);
452*f0865ec9SKyle Evans }
453*f0865ec9SKyle Evans #else
454*f0865ec9SKyle Evans {
455*f0865ec9SKyle Evans /* NULL rand function is not accepted for regular ECDSA */
456*f0865ec9SKyle Evans ret = -1;
457*f0865ec9SKyle Evans goto err;
458*f0865ec9SKyle Evans }
459*f0865ec9SKyle Evans #endif
460*f0865ec9SKyle Evans if (ret) {
461*f0865ec9SKyle Evans ret = -1;
462*f0865ec9SKyle Evans goto err;
463*f0865ec9SKyle Evans }
464*f0865ec9SKyle Evans dbg_nn_print("k", &k);
465*f0865ec9SKyle Evans
466*f0865ec9SKyle Evans #ifdef USE_SIG_BLINDING
467*f0865ec9SKyle Evans /* Note: if we use blinding, r and e are multiplied by
468*f0865ec9SKyle Evans * a random value b in ]0,q[ */
469*f0865ec9SKyle Evans ret = nn_get_random_mod(&b, q); EG(ret, err);
470*f0865ec9SKyle Evans
471*f0865ec9SKyle Evans dbg_nn_print("b", &b);
472*f0865ec9SKyle Evans #endif /* USE_SIG_BLINDING */
473*f0865ec9SKyle Evans
474*f0865ec9SKyle Evans
475*f0865ec9SKyle Evans /* 5. Compute W = (W_x,W_y) = kG */
476*f0865ec9SKyle Evans #ifdef USE_SIG_BLINDING
477*f0865ec9SKyle Evans ret = prj_pt_mul_blind(&kG, &k, G); EG(ret, err);
478*f0865ec9SKyle Evans #else
479*f0865ec9SKyle Evans ret = prj_pt_mul(&kG, &k, G); EG(ret, err);
480*f0865ec9SKyle Evans #endif /* USE_SIG_BLINDING */
481*f0865ec9SKyle Evans ret = prj_pt_unique(&kG, &kG); EG(ret, err);
482*f0865ec9SKyle Evans
483*f0865ec9SKyle Evans dbg_nn_print("W_x", &(kG.X.fp_val));
484*f0865ec9SKyle Evans dbg_nn_print("W_y", &(kG.Y.fp_val));
485*f0865ec9SKyle Evans
486*f0865ec9SKyle Evans /* 6. Compute r = W_x mod q */
487*f0865ec9SKyle Evans ret = nn_mod(&r, &(kG.X.fp_val), q); EG(ret, err);
488*f0865ec9SKyle Evans dbg_nn_print("r", &r);
489*f0865ec9SKyle Evans
490*f0865ec9SKyle Evans /* 7. If r is 0, restart the process at step 4. */
491*f0865ec9SKyle Evans ret = nn_iszero(&r, &iszero); EG(ret, err);
492*f0865ec9SKyle Evans if (iszero) {
493*f0865ec9SKyle Evans goto restart;
494*f0865ec9SKyle Evans }
495*f0865ec9SKyle Evans
496*f0865ec9SKyle Evans /* Clean hash buffer as we do not need it anymore */
497*f0865ec9SKyle Evans ret = local_memset(hash, 0, hsize); EG(ret, err);
498*f0865ec9SKyle Evans
499*f0865ec9SKyle Evans /* Export r */
500*f0865ec9SKyle Evans ret = nn_export_to_buf(sig, q_len, &r); EG(ret, err);
501*f0865ec9SKyle Evans
502*f0865ec9SKyle Evans #ifdef USE_SIG_BLINDING
503*f0865ec9SKyle Evans /* Blind r with b */
504*f0865ec9SKyle Evans ret = nn_mod_mul(&r, &r, &b, q); EG(ret, err);
505*f0865ec9SKyle Evans
506*f0865ec9SKyle Evans /* Blind the message e */
507*f0865ec9SKyle Evans ret = nn_mod_mul(&e, &e, &b, q); EG(ret, err);
508*f0865ec9SKyle Evans #endif /* USE_SIG_BLINDING */
509*f0865ec9SKyle Evans
510*f0865ec9SKyle Evans /* tmp = xr mod q */
511*f0865ec9SKyle Evans ret = nn_mod_mul(&tmp, x, &r, q); EG(ret, err);
512*f0865ec9SKyle Evans dbg_nn_print("x*r mod q", &tmp);
513*f0865ec9SKyle Evans
514*f0865ec9SKyle Evans /* 8. If e == rx, restart the process at step 4. */
515*f0865ec9SKyle Evans ret = nn_cmp(&e, &tmp, &cmp); EG(ret, err);
516*f0865ec9SKyle Evans if (!cmp) {
517*f0865ec9SKyle Evans goto restart;
518*f0865ec9SKyle Evans }
519*f0865ec9SKyle Evans
520*f0865ec9SKyle Evans /* 9. Compute s = k^-1 * (xr + e) mod q */
521*f0865ec9SKyle Evans
522*f0865ec9SKyle Evans /* tmp = (e + xr) mod q */
523*f0865ec9SKyle Evans ret = nn_mod_add(&tmp, &tmp, &e, q); EG(ret, err);
524*f0865ec9SKyle Evans dbg_nn_print("(xr + e) mod q", &tmp);
525*f0865ec9SKyle Evans
526*f0865ec9SKyle Evans #ifdef USE_SIG_BLINDING
527*f0865ec9SKyle Evans /*
528*f0865ec9SKyle Evans * In case of blinding, we compute (b*k)^-1, and b^-1 will
529*f0865ec9SKyle Evans * automatically unblind (r*x) in the following.
530*f0865ec9SKyle Evans */
531*f0865ec9SKyle Evans ret = nn_mod_mul(&k, &k, &b, q); EG(ret, err);
532*f0865ec9SKyle Evans #endif
533*f0865ec9SKyle Evans /* Compute k^-1 mod q */
534*f0865ec9SKyle Evans /* NOTE: we use Fermat's little theorem inversion for
535*f0865ec9SKyle Evans * constant time here. This is possible since q is prime.
536*f0865ec9SKyle Evans */
537*f0865ec9SKyle Evans ret = nn_modinv_fermat(&kinv, &k, q); EG(ret, err);
538*f0865ec9SKyle Evans
539*f0865ec9SKyle Evans dbg_nn_print("k^-1 mod q", &kinv);
540*f0865ec9SKyle Evans
541*f0865ec9SKyle Evans /* s = k^-1 * tmp2 mod q */
542*f0865ec9SKyle Evans ret = nn_mod_mul(&s, &tmp, &kinv, q); EG(ret, err);
543*f0865ec9SKyle Evans
544*f0865ec9SKyle Evans dbg_nn_print("s", &s);
545*f0865ec9SKyle Evans
546*f0865ec9SKyle Evans /* 10. If s is 0, restart the process at step 4. */
547*f0865ec9SKyle Evans ret = nn_iszero(&s, &iszero); EG(ret, err);
548*f0865ec9SKyle Evans if (iszero) {
549*f0865ec9SKyle Evans goto restart;
550*f0865ec9SKyle Evans }
551*f0865ec9SKyle Evans
552*f0865ec9SKyle Evans /* 11. return (r,s) */
553*f0865ec9SKyle Evans ret = nn_export_to_buf(sig + q_len, q_len, &s);
554*f0865ec9SKyle Evans
555*f0865ec9SKyle Evans err:
556*f0865ec9SKyle Evans nn_uninit(&k);
557*f0865ec9SKyle Evans nn_uninit(&r);
558*f0865ec9SKyle Evans nn_uninit(&e);
559*f0865ec9SKyle Evans nn_uninit(&tmp);
560*f0865ec9SKyle Evans nn_uninit(&s);
561*f0865ec9SKyle Evans nn_uninit(&kinv);
562*f0865ec9SKyle Evans prj_pt_uninit(&kG);
563*f0865ec9SKyle Evans #ifdef USE_SIG_BLINDING
564*f0865ec9SKyle Evans nn_uninit(&b);
565*f0865ec9SKyle Evans #endif
566*f0865ec9SKyle Evans
567*f0865ec9SKyle Evans /*
568*f0865ec9SKyle Evans * We can now clear data part of the context. This will clear
569*f0865ec9SKyle Evans * magic and avoid further reuse of the whole context.
570*f0865ec9SKyle Evans */
571*f0865ec9SKyle Evans if(ctx != NULL){
572*f0865ec9SKyle Evans IGNORE_RET_VAL(local_memset(&(ctx->sign_data.ecdsa), 0, sizeof(ecdsa_sign_data)));
573*f0865ec9SKyle Evans }
574*f0865ec9SKyle Evans
575*f0865ec9SKyle Evans /* Clean what remains on the stack */
576*f0865ec9SKyle Evans PTR_NULLIFY(priv_key);
577*f0865ec9SKyle Evans PTR_NULLIFY(G);
578*f0865ec9SKyle Evans PTR_NULLIFY(q);
579*f0865ec9SKyle Evans PTR_NULLIFY(x);
580*f0865ec9SKyle Evans VAR_ZEROIFY(q_len);
581*f0865ec9SKyle Evans VAR_ZEROIFY(q_bit_len);
582*f0865ec9SKyle Evans VAR_ZEROIFY(rshift);
583*f0865ec9SKyle Evans VAR_ZEROIFY(hsize);
584*f0865ec9SKyle Evans
585*f0865ec9SKyle Evans return ret;
586*f0865ec9SKyle Evans }
587*f0865ec9SKyle Evans
588*f0865ec9SKyle Evans /*
589*f0865ec9SKyle Evans * Generic *internal* ECDSA verification functions (init, update and finalize).
590*f0865ec9SKyle Evans * Their purpose is to allow passing a specific hash function (along with
591*f0865ec9SKyle Evans * its output size) and the random ephemeral key k, so that compliance
592*f0865ec9SKyle Evans * tests against test vectors can be made without ugly hack in the code
593*f0865ec9SKyle Evans * itself.
594*f0865ec9SKyle Evans *
595*f0865ec9SKyle Evans * Global ECDSA verification process is as follows (I,U,F provides
596*f0865ec9SKyle Evans * information in which function(s) (init(), update() or finalize())
597*f0865ec9SKyle Evans * a specific step is performed):
598*f0865ec9SKyle Evans *
599*f0865ec9SKyle Evans *| IUF - ECDSA verification
600*f0865ec9SKyle Evans *|
601*f0865ec9SKyle Evans *| I 1. Reject the signature if r or s is 0.
602*f0865ec9SKyle Evans *| UF 2. Compute h = H(m)
603*f0865ec9SKyle Evans *| F 3. If |h| > bitlen(q), set h to bitlen(q)
604*f0865ec9SKyle Evans *| leftmost (most significant) bits of h
605*f0865ec9SKyle Evans *| F 4. Compute e = OS2I(h) mod q
606*f0865ec9SKyle Evans *| F 5. Compute u = (s^-1)e mod q
607*f0865ec9SKyle Evans *| F 6. Compute v = (s^-1)r mod q
608*f0865ec9SKyle Evans *| F 7. Compute W' = uG + vY
609*f0865ec9SKyle Evans *| F 8. If W' is the point at infinity, reject the signature.
610*f0865ec9SKyle Evans *| F 9. Compute r' = W'_x mod q
611*f0865ec9SKyle Evans *| F 10. Accept the signature if and only if r equals r'
612*f0865ec9SKyle Evans *
613*f0865ec9SKyle Evans */
614*f0865ec9SKyle Evans
615*f0865ec9SKyle Evans #define ECDSA_VERIFY_MAGIC ((word_t)(0x5155fe73e7fd51beULL))
616*f0865ec9SKyle Evans #define ECDSA_VERIFY_CHECK_INITIALIZED(A, ret, err) \
617*f0865ec9SKyle Evans MUST_HAVE((((void *)(A)) != NULL) && ((A)->magic == ECDSA_VERIFY_MAGIC), ret, err)
618*f0865ec9SKyle Evans
__ecdsa_verify_init(struct ec_verify_context * ctx,const u8 * sig,u8 siglen,ec_alg_type key_type)619*f0865ec9SKyle Evans int __ecdsa_verify_init(struct ec_verify_context *ctx, const u8 *sig, u8 siglen,
620*f0865ec9SKyle Evans ec_alg_type key_type)
621*f0865ec9SKyle Evans {
622*f0865ec9SKyle Evans bitcnt_t q_bit_len;
623*f0865ec9SKyle Evans u8 q_len;
624*f0865ec9SKyle Evans nn_src_t q;
625*f0865ec9SKyle Evans nn *r, *s;
626*f0865ec9SKyle Evans int ret, cmp1, cmp2, iszero1, iszero2;
627*f0865ec9SKyle Evans
628*f0865ec9SKyle Evans /* First, verify context has been initialized */
629*f0865ec9SKyle Evans ret = sig_verify_check_initialized(ctx); EG(ret, err);
630*f0865ec9SKyle Evans
631*f0865ec9SKyle Evans /* Do some sanity checks on input params */
632*f0865ec9SKyle Evans ret = pub_key_check_initialized_and_type(ctx->pub_key, key_type); EG(ret, err);
633*f0865ec9SKyle Evans MUST_HAVE((ctx->h != NULL) && (ctx->h->digest_size <= MAX_DIGEST_SIZE) &&
634*f0865ec9SKyle Evans (ctx->h->block_size <= MAX_BLOCK_SIZE), ret, err);
635*f0865ec9SKyle Evans MUST_HAVE((sig != NULL), ret, err);
636*f0865ec9SKyle Evans
637*f0865ec9SKyle Evans /* Make things more readable */
638*f0865ec9SKyle Evans q = &(ctx->pub_key->params->ec_gen_order);
639*f0865ec9SKyle Evans q_bit_len = ctx->pub_key->params->ec_gen_order_bitlen;
640*f0865ec9SKyle Evans q_len = (u8)BYTECEIL(q_bit_len);
641*f0865ec9SKyle Evans r = &(ctx->verify_data.ecdsa.r);
642*f0865ec9SKyle Evans s = &(ctx->verify_data.ecdsa.s);
643*f0865ec9SKyle Evans
644*f0865ec9SKyle Evans /* Check given signature length is the expected one */
645*f0865ec9SKyle Evans MUST_HAVE((siglen == ECDSA_SIGLEN(q_bit_len)), ret, err);
646*f0865ec9SKyle Evans
647*f0865ec9SKyle Evans /* Import r and s values from signature buffer */
648*f0865ec9SKyle Evans ret = nn_init_from_buf(r, sig, q_len); EG(ret, err);
649*f0865ec9SKyle Evans ret = nn_init_from_buf(s, sig + q_len, q_len); EG(ret, err);
650*f0865ec9SKyle Evans dbg_nn_print("r", r);
651*f0865ec9SKyle Evans dbg_nn_print("s", s);
652*f0865ec9SKyle Evans
653*f0865ec9SKyle Evans /* 1. Reject the signature if r or s is 0. */
654*f0865ec9SKyle Evans ret = nn_iszero(r, &iszero1); EG(ret, err);
655*f0865ec9SKyle Evans ret = nn_iszero(s, &iszero2); EG(ret, err);
656*f0865ec9SKyle Evans ret = nn_cmp(r, q, &cmp1); EG(ret, err);
657*f0865ec9SKyle Evans ret = nn_cmp(s, q, &cmp2); EG(ret, err);
658*f0865ec9SKyle Evans MUST_HAVE(((!iszero1) && (cmp1 < 0) && !iszero2 && (cmp2 < 0)), ret, err);
659*f0865ec9SKyle Evans
660*f0865ec9SKyle Evans /* Initialize the remaining of verify context. */
661*f0865ec9SKyle Evans /* Since we call a callback, sanity check our mapping */
662*f0865ec9SKyle Evans ret = hash_mapping_callbacks_sanity_check(ctx->h); EG(ret, err);
663*f0865ec9SKyle Evans ret = ctx->h->hfunc_init(&(ctx->verify_data.ecdsa.h_ctx)); EG(ret, err);
664*f0865ec9SKyle Evans
665*f0865ec9SKyle Evans ctx->verify_data.ecdsa.magic = ECDSA_VERIFY_MAGIC;
666*f0865ec9SKyle Evans
667*f0865ec9SKyle Evans err:
668*f0865ec9SKyle Evans VAR_ZEROIFY(q_len);
669*f0865ec9SKyle Evans VAR_ZEROIFY(q_bit_len);
670*f0865ec9SKyle Evans PTR_NULLIFY(q);
671*f0865ec9SKyle Evans PTR_NULLIFY(r);
672*f0865ec9SKyle Evans PTR_NULLIFY(s);
673*f0865ec9SKyle Evans
674*f0865ec9SKyle Evans return ret;
675*f0865ec9SKyle Evans }
676*f0865ec9SKyle Evans
__ecdsa_verify_update(struct ec_verify_context * ctx,const u8 * chunk,u32 chunklen,ec_alg_type key_type)677*f0865ec9SKyle Evans int __ecdsa_verify_update(struct ec_verify_context *ctx,
678*f0865ec9SKyle Evans const u8 *chunk, u32 chunklen, ec_alg_type key_type)
679*f0865ec9SKyle Evans {
680*f0865ec9SKyle Evans int ret;
681*f0865ec9SKyle Evans
682*f0865ec9SKyle Evans /*
683*f0865ec9SKyle Evans * First, verify context has been initialized and public
684*f0865ec9SKyle Evans * part too. This guarantees the context is an ECDSA
685*f0865ec9SKyle Evans * verification one and we do not update() or finalize()
686*f0865ec9SKyle Evans * before init().
687*f0865ec9SKyle Evans */
688*f0865ec9SKyle Evans ret = sig_verify_check_initialized(ctx); EG(ret, err);
689*f0865ec9SKyle Evans ECDSA_VERIFY_CHECK_INITIALIZED(&(ctx->verify_data.ecdsa), ret, err);
690*f0865ec9SKyle Evans /* Do some sanity checks on input params */
691*f0865ec9SKyle Evans ret = pub_key_check_initialized_and_type(ctx->pub_key, key_type); EG(ret, err);
692*f0865ec9SKyle Evans
693*f0865ec9SKyle Evans /* 2. Compute h = H(m) */
694*f0865ec9SKyle Evans /* Since we call a callback, sanity check our mapping */
695*f0865ec9SKyle Evans ret = hash_mapping_callbacks_sanity_check(ctx->h); EG(ret, err);
696*f0865ec9SKyle Evans ret = ctx->h->hfunc_update(&(ctx->verify_data.ecdsa.h_ctx), chunk, chunklen);
697*f0865ec9SKyle Evans
698*f0865ec9SKyle Evans err:
699*f0865ec9SKyle Evans return ret;
700*f0865ec9SKyle Evans }
701*f0865ec9SKyle Evans
__ecdsa_verify_finalize(struct ec_verify_context * ctx,ec_alg_type key_type)702*f0865ec9SKyle Evans int __ecdsa_verify_finalize(struct ec_verify_context *ctx,
703*f0865ec9SKyle Evans ec_alg_type key_type)
704*f0865ec9SKyle Evans {
705*f0865ec9SKyle Evans prj_pt uG, vY;
706*f0865ec9SKyle Evans prj_pt_t W_prime;
707*f0865ec9SKyle Evans nn e, sinv, uv, r_prime;
708*f0865ec9SKyle Evans prj_pt_src_t G, Y;
709*f0865ec9SKyle Evans u8 hash[MAX_DIGEST_SIZE];
710*f0865ec9SKyle Evans bitcnt_t rshift, q_bit_len;
711*f0865ec9SKyle Evans nn_src_t q;
712*f0865ec9SKyle Evans nn *s, *r;
713*f0865ec9SKyle Evans u8 hsize;
714*f0865ec9SKyle Evans int ret, iszero, cmp;
715*f0865ec9SKyle Evans
716*f0865ec9SKyle Evans uG.magic = vY.magic = WORD(0);
717*f0865ec9SKyle Evans e.magic = sinv.magic = uv.magic = r_prime.magic = WORD(0);
718*f0865ec9SKyle Evans
719*f0865ec9SKyle Evans /* NOTE: we reuse uG for W_prime to optimize local variables */
720*f0865ec9SKyle Evans W_prime = &uG;
721*f0865ec9SKyle Evans
722*f0865ec9SKyle Evans /*
723*f0865ec9SKyle Evans * First, verify context has been initialized and public
724*f0865ec9SKyle Evans * part too. This guarantees the context is an ECDSA
725*f0865ec9SKyle Evans * verification one and we do not finalize() before init().
726*f0865ec9SKyle Evans */
727*f0865ec9SKyle Evans ret = sig_verify_check_initialized(ctx); EG(ret, err);
728*f0865ec9SKyle Evans ECDSA_VERIFY_CHECK_INITIALIZED(&(ctx->verify_data.ecdsa), ret, err);
729*f0865ec9SKyle Evans /* Do some sanity checks on input params */
730*f0865ec9SKyle Evans ret = pub_key_check_initialized_and_type(ctx->pub_key, key_type); EG(ret, err);
731*f0865ec9SKyle Evans
732*f0865ec9SKyle Evans /* Zero init points */
733*f0865ec9SKyle Evans ret = local_memset(&uG, 0, sizeof(prj_pt)); EG(ret, err);
734*f0865ec9SKyle Evans ret = local_memset(&vY, 0, sizeof(prj_pt)); EG(ret, err);
735*f0865ec9SKyle Evans
736*f0865ec9SKyle Evans /* Make things more readable */
737*f0865ec9SKyle Evans G = &(ctx->pub_key->params->ec_gen);
738*f0865ec9SKyle Evans Y = &(ctx->pub_key->y);
739*f0865ec9SKyle Evans q = &(ctx->pub_key->params->ec_gen_order);
740*f0865ec9SKyle Evans q_bit_len = ctx->pub_key->params->ec_gen_order_bitlen;
741*f0865ec9SKyle Evans hsize = ctx->h->digest_size;
742*f0865ec9SKyle Evans r = &(ctx->verify_data.ecdsa.r);
743*f0865ec9SKyle Evans s = &(ctx->verify_data.ecdsa.s);
744*f0865ec9SKyle Evans
745*f0865ec9SKyle Evans /* 2. Compute h = H(m) */
746*f0865ec9SKyle Evans /* Since we call a callback, sanity check our mapping */
747*f0865ec9SKyle Evans ret = hash_mapping_callbacks_sanity_check(ctx->h); EG(ret, err);
748*f0865ec9SKyle Evans ret = ctx->h->hfunc_finalize(&(ctx->verify_data.ecdsa.h_ctx), hash); EG(ret, err);
749*f0865ec9SKyle Evans dbg_buf_print("h = H(m)", hash, hsize);
750*f0865ec9SKyle Evans
751*f0865ec9SKyle Evans /*
752*f0865ec9SKyle Evans * 3. If |h| > bitlen(q), set h to bitlen(q)
753*f0865ec9SKyle Evans * leftmost bits of h.
754*f0865ec9SKyle Evans *
755*f0865ec9SKyle Evans * Note that it's easier to check here if the truncation
756*f0865ec9SKyle Evans * needs to be done but implement it using a logical
757*f0865ec9SKyle Evans * shift at the beginning of step 3. below once the hash
758*f0865ec9SKyle Evans * has been converted to an integer.
759*f0865ec9SKyle Evans */
760*f0865ec9SKyle Evans rshift = 0;
761*f0865ec9SKyle Evans if ((hsize * 8) > q_bit_len) {
762*f0865ec9SKyle Evans rshift = (bitcnt_t)((hsize * 8) - q_bit_len);
763*f0865ec9SKyle Evans }
764*f0865ec9SKyle Evans
765*f0865ec9SKyle Evans /*
766*f0865ec9SKyle Evans * 4. Compute e = OS2I(h) mod q, by converting h to an integer
767*f0865ec9SKyle Evans * and reducing it mod q
768*f0865ec9SKyle Evans */
769*f0865ec9SKyle Evans ret = nn_init_from_buf(&e, hash, hsize); EG(ret, err);
770*f0865ec9SKyle Evans ret = local_memset(hash, 0, hsize); EG(ret, err);
771*f0865ec9SKyle Evans dbg_nn_print("h initial import as nn", &e);
772*f0865ec9SKyle Evans if (rshift) {
773*f0865ec9SKyle Evans ret = nn_rshift_fixedlen(&e, &e, rshift); EG(ret, err);
774*f0865ec9SKyle Evans }
775*f0865ec9SKyle Evans dbg_nn_print("h final import as nn", &e);
776*f0865ec9SKyle Evans
777*f0865ec9SKyle Evans ret = nn_mod(&e, &e, q); EG(ret, err);
778*f0865ec9SKyle Evans dbg_nn_print("e", &e);
779*f0865ec9SKyle Evans
780*f0865ec9SKyle Evans /* Compute s^-1 mod q */
781*f0865ec9SKyle Evans ret = nn_modinv(&sinv, s, q); EG(ret, err);
782*f0865ec9SKyle Evans dbg_nn_print("s", s);
783*f0865ec9SKyle Evans dbg_nn_print("sinv", &sinv);
784*f0865ec9SKyle Evans
785*f0865ec9SKyle Evans /* 5. Compute u = (s^-1)e mod q */
786*f0865ec9SKyle Evans ret = nn_mod_mul(&uv, &e, &sinv, q); EG(ret, err);
787*f0865ec9SKyle Evans dbg_nn_print("u = (s^-1)e mod q", &uv);
788*f0865ec9SKyle Evans ret = prj_pt_mul(&uG, &uv, G); EG(ret, err);
789*f0865ec9SKyle Evans
790*f0865ec9SKyle Evans /* 6. Compute v = (s^-1)r mod q */
791*f0865ec9SKyle Evans ret = nn_mod_mul(&uv, r, &sinv, q); EG(ret, err);
792*f0865ec9SKyle Evans dbg_nn_print("v = (s^-1)r mod q", &uv);
793*f0865ec9SKyle Evans ret = prj_pt_mul(&vY, &uv, Y); EG(ret, err);
794*f0865ec9SKyle Evans
795*f0865ec9SKyle Evans /* 7. Compute W' = uG + vY */
796*f0865ec9SKyle Evans ret = prj_pt_add(W_prime, &uG, &vY); EG(ret, err);
797*f0865ec9SKyle Evans
798*f0865ec9SKyle Evans /* 8. If W' is the point at infinity, reject the signature. */
799*f0865ec9SKyle Evans ret = prj_pt_iszero(W_prime, &iszero); EG(ret, err);
800*f0865ec9SKyle Evans MUST_HAVE(!iszero, ret, err);
801*f0865ec9SKyle Evans
802*f0865ec9SKyle Evans /* 9. Compute r' = W'_x mod q */
803*f0865ec9SKyle Evans ret = prj_pt_unique(W_prime, W_prime); EG(ret, err);
804*f0865ec9SKyle Evans dbg_nn_print("W'_x", &(W_prime->X.fp_val));
805*f0865ec9SKyle Evans dbg_nn_print("W'_y", &(W_prime->Y.fp_val));
806*f0865ec9SKyle Evans ret = nn_mod(&r_prime, &(W_prime->X.fp_val), q); EG(ret, err);
807*f0865ec9SKyle Evans
808*f0865ec9SKyle Evans /* 10. Accept the signature if and only if r equals r' */
809*f0865ec9SKyle Evans ret = nn_cmp(&r_prime, r, &cmp); EG(ret, err);
810*f0865ec9SKyle Evans ret = (cmp != 0) ? -1 : 0;
811*f0865ec9SKyle Evans
812*f0865ec9SKyle Evans err:
813*f0865ec9SKyle Evans prj_pt_uninit(&uG);
814*f0865ec9SKyle Evans prj_pt_uninit(&vY);
815*f0865ec9SKyle Evans nn_uninit(&e);
816*f0865ec9SKyle Evans nn_uninit(&sinv);
817*f0865ec9SKyle Evans nn_uninit(&uv);
818*f0865ec9SKyle Evans nn_uninit(&r_prime);
819*f0865ec9SKyle Evans
820*f0865ec9SKyle Evans /*
821*f0865ec9SKyle Evans * We can now clear data part of the context. This will clear
822*f0865ec9SKyle Evans * magic and avoid further reuse of the whole context.
823*f0865ec9SKyle Evans */
824*f0865ec9SKyle Evans if(ctx != NULL){
825*f0865ec9SKyle Evans IGNORE_RET_VAL(local_memset(&(ctx->verify_data.ecdsa), 0, sizeof(ecdsa_verify_data)));
826*f0865ec9SKyle Evans }
827*f0865ec9SKyle Evans
828*f0865ec9SKyle Evans /* Clean what remains on the stack */
829*f0865ec9SKyle Evans PTR_NULLIFY(W_prime);
830*f0865ec9SKyle Evans PTR_NULLIFY(G);
831*f0865ec9SKyle Evans PTR_NULLIFY(Y);
832*f0865ec9SKyle Evans VAR_ZEROIFY(rshift);
833*f0865ec9SKyle Evans VAR_ZEROIFY(q_bit_len);
834*f0865ec9SKyle Evans PTR_NULLIFY(q);
835*f0865ec9SKyle Evans PTR_NULLIFY(s);
836*f0865ec9SKyle Evans PTR_NULLIFY(r);
837*f0865ec9SKyle Evans VAR_ZEROIFY(hsize);
838*f0865ec9SKyle Evans
839*f0865ec9SKyle Evans return ret;
840*f0865ec9SKyle Evans }
841*f0865ec9SKyle Evans
842*f0865ec9SKyle Evans /* Public key recovery from a signature.
843*f0865ec9SKyle Evans * For ECDSA, it is possible to recover two possible public keys from
844*f0865ec9SKyle Evans * a signature and a digest.
845*f0865ec9SKyle Evans *
846*f0865ec9SKyle Evans * Please note that this recovery is not perfect as some information is
847*f0865ec9SKyle Evans * lost when reducing Rx modulo the order q during the signature. Hence,
848*f0865ec9SKyle Evans * a few possible R points can provide the same r. The following algorithm
849*f0865ec9SKyle Evans * assumes that Rx == r, i.e. Rx is < q and already reduced. This should
850*f0865ec9SKyle Evans * happen with a probability q / p, and "bad" cases with probability
851*f0865ec9SKyle Evans * (p - q) / p. Actually, some small multiples of r are also tested,
852*f0865ec9SKyle Evans * but we give up after 10 tries as this can be very time consuming.
853*f0865ec9SKyle Evans *
854*f0865ec9SKyle Evans * With usual curve parameters, this last probability is negligible if
855*f0865ec9SKyle Evans * everything is random (which should be the case for a "regular" signature
856*f0865ec9SKyle Evans * algorithm) for curves with cofactor = 1. However, an adversary could
857*f0865ec9SKyle Evans * willingly choose a Rx > q and the following algorithm will most certainly
858*f0865ec9SKyle Evans * fail.
859*f0865ec9SKyle Evans *
860*f0865ec9SKyle Evans * For curves with cofactor > 1, q is usually some orders of magnitudes
861*f0865ec9SKyle Evans * smaller than p and this function will certainly fail.
862*f0865ec9SKyle Evans *
863*f0865ec9SKyle Evans * Please use the resulting public keys with care and with all these
864*f0865ec9SKyle Evans * warnings in mind!
865*f0865ec9SKyle Evans *
866*f0865ec9SKyle Evans */
__ecdsa_public_key_from_sig(ec_pub_key * out_pub1,ec_pub_key * out_pub2,const ec_params * params,const u8 * sig,u8 siglen,const u8 * hash,u8 hsize,ec_alg_type key_type)867*f0865ec9SKyle Evans int __ecdsa_public_key_from_sig(ec_pub_key *out_pub1, ec_pub_key *out_pub2, const ec_params *params,
868*f0865ec9SKyle Evans const u8 *sig, u8 siglen, const u8 *hash, u8 hsize,
869*f0865ec9SKyle Evans ec_alg_type key_type)
870*f0865ec9SKyle Evans {
871*f0865ec9SKyle Evans int ret, iszero1, iszero2, cmp1, cmp2;
872*f0865ec9SKyle Evans prj_pt uG;
873*f0865ec9SKyle Evans prj_pt_t Y1, Y2;
874*f0865ec9SKyle Evans prj_pt_src_t G;
875*f0865ec9SKyle Evans nn u, v, e, r, s;
876*f0865ec9SKyle Evans nn_src_t q, p;
877*f0865ec9SKyle Evans bitcnt_t rshift, q_bit_len;
878*f0865ec9SKyle Evans u8 q_len;
879*f0865ec9SKyle Evans word_t order_multiplier = WORD(1);
880*f0865ec9SKyle Evans
881*f0865ec9SKyle Evans uG.magic = WORD(0);
882*f0865ec9SKyle Evans u.magic = v.magic = e.magic = r.magic = s.magic = WORD(0);
883*f0865ec9SKyle Evans
884*f0865ec9SKyle Evans /* Zero init points */
885*f0865ec9SKyle Evans ret = local_memset(&uG, 0, sizeof(prj_pt)); EG(ret, err);
886*f0865ec9SKyle Evans
887*f0865ec9SKyle Evans /* Sanity checks */
888*f0865ec9SKyle Evans MUST_HAVE((params != NULL) && (sig != NULL) && (hash != NULL) && (out_pub1 != NULL) && (out_pub2 != NULL), ret, err);
889*f0865ec9SKyle Evans
890*f0865ec9SKyle Evans /* Import our params */
891*f0865ec9SKyle Evans G = &(params->ec_gen);
892*f0865ec9SKyle Evans p = &(params->ec_fp.p);
893*f0865ec9SKyle Evans q = &(params->ec_gen_order);
894*f0865ec9SKyle Evans q_bit_len = params->ec_gen_order_bitlen;
895*f0865ec9SKyle Evans q_len = (u8)BYTECEIL(q_bit_len);
896*f0865ec9SKyle Evans Y1 = &(out_pub1->y);
897*f0865ec9SKyle Evans Y2 = &(out_pub2->y);
898*f0865ec9SKyle Evans
899*f0865ec9SKyle Evans /* Check given signature length is the expected one */
900*f0865ec9SKyle Evans MUST_HAVE((siglen == ECDSA_SIGLEN(q_bit_len)), ret, err);
901*f0865ec9SKyle Evans
902*f0865ec9SKyle Evans restart:
903*f0865ec9SKyle Evans /* Import r and s values from signature buffer */
904*f0865ec9SKyle Evans ret = nn_init_from_buf(&r, sig, q_len); EG(ret, err);
905*f0865ec9SKyle Evans ret = nn_init_from_buf(&s, sig + q_len, q_len); EG(ret, err);
906*f0865ec9SKyle Evans
907*f0865ec9SKyle Evans /* Reject the signature if r or s is 0. */
908*f0865ec9SKyle Evans ret = nn_iszero(&r, &iszero1); EG(ret, err);
909*f0865ec9SKyle Evans ret = nn_iszero(&s, &iszero2); EG(ret, err);
910*f0865ec9SKyle Evans ret = nn_cmp(&r, q, &cmp1); EG(ret, err);
911*f0865ec9SKyle Evans ret = nn_cmp(&s, q, &cmp2); EG(ret, err);
912*f0865ec9SKyle Evans MUST_HAVE(((!iszero1) && (cmp1 < 0) && !iszero2 && (cmp2 < 0)), ret, err);
913*f0865ec9SKyle Evans
914*f0865ec9SKyle Evans /* Add a multiple of the order to r using our current order multiplier */
915*f0865ec9SKyle Evans if(order_multiplier > 1){
916*f0865ec9SKyle Evans int cmp;
917*f0865ec9SKyle Evans ret = nn_init(&u, 0);
918*f0865ec9SKyle Evans ret = nn_mul_word(&u, q, order_multiplier); EG(ret, err);
919*f0865ec9SKyle Evans ret = nn_add(&r, &r, &u); EG(ret, err);
920*f0865ec9SKyle Evans /* If we have reached > p, leave with an error */
921*f0865ec9SKyle Evans ret = nn_cmp(&r, p, &cmp); EG(ret, err);
922*f0865ec9SKyle Evans /* NOTE: we do not use a MUST_HAVE macro here since
923*f0865ec9SKyle Evans * this condition can nominally happen, and we do not want
924*f0865ec9SKyle Evans * a MUST_HAVE in debug mode (i.e. with an assert) to break
925*f0865ec9SKyle Evans * the execution flow.
926*f0865ec9SKyle Evans */
927*f0865ec9SKyle Evans if(cmp < 0){
928*f0865ec9SKyle Evans ret = -1;
929*f0865ec9SKyle Evans goto err;
930*f0865ec9SKyle Evans }
931*f0865ec9SKyle Evans }
932*f0865ec9SKyle Evans
933*f0865ec9SKyle Evans /*
934*f0865ec9SKyle Evans * Compute e.
935*f0865ec9SKyle Evans * If |h| > bitlen(q), set h to bitlen(q)
936*f0865ec9SKyle Evans * leftmost bits of h.
937*f0865ec9SKyle Evans *
938*f0865ec9SKyle Evans * Note that it's easier to check here if the truncation
939*f0865ec9SKyle Evans * needs to be done but implement it using a logical
940*f0865ec9SKyle Evans * shift.
941*f0865ec9SKyle Evans */
942*f0865ec9SKyle Evans rshift = 0;
943*f0865ec9SKyle Evans if ((hsize * 8) > q_bit_len) {
944*f0865ec9SKyle Evans rshift = (bitcnt_t)((hsize * 8) - q_bit_len);
945*f0865ec9SKyle Evans }
946*f0865ec9SKyle Evans ret = nn_init_from_buf(&e, hash, hsize); EG(ret, err);
947*f0865ec9SKyle Evans if (rshift) {
948*f0865ec9SKyle Evans ret = nn_rshift_fixedlen(&e, &e, rshift); EG(ret, err);
949*f0865ec9SKyle Evans }
950*f0865ec9SKyle Evans ret = nn_mod(&e, &e, q); EG(ret, err);
951*f0865ec9SKyle Evans
952*f0865ec9SKyle Evans /* Now to find the y coordinate by solving the curve equation.
953*f0865ec9SKyle Evans * NOTE: we use uG as temporary storage.
954*f0865ec9SKyle Evans */
955*f0865ec9SKyle Evans ret = fp_init(&(uG.X), &(params->ec_fp)); EG(ret, err);
956*f0865ec9SKyle Evans ret = fp_init(&(uG.Y), &(params->ec_fp)); EG(ret, err);
957*f0865ec9SKyle Evans ret = fp_init(&(uG.Z), &(params->ec_fp)); EG(ret, err);
958*f0865ec9SKyle Evans ret = fp_set_nn(&(uG.Z), &r); EG(ret, err);
959*f0865ec9SKyle Evans ret = aff_pt_y_from_x(&(uG.X), &(uG.Y), &(uG.Z), &(params->ec_curve));
960*f0865ec9SKyle Evans if(ret){
961*f0865ec9SKyle Evans /* If we have failed here, this means that our r has certainly been
962*f0865ec9SKyle Evans * reduced. Increment our multiplier and restart the process.
963*f0865ec9SKyle Evans */
964*f0865ec9SKyle Evans order_multiplier = (word_t)(order_multiplier + 1);
965*f0865ec9SKyle Evans if(order_multiplier > 10){
966*f0865ec9SKyle Evans /* Too much tries, leave ... */
967*f0865ec9SKyle Evans ret = -1;
968*f0865ec9SKyle Evans goto err;
969*f0865ec9SKyle Evans }
970*f0865ec9SKyle Evans goto restart;
971*f0865ec9SKyle Evans }
972*f0865ec9SKyle Evans
973*f0865ec9SKyle Evans /* Initialize Y1 and Y2 */
974*f0865ec9SKyle Evans ret = fp_init(&(Y2->Z), &(params->ec_fp)); EG(ret, err);
975*f0865ec9SKyle Evans ret = fp_one(&(Y2->Z)); EG(ret, err);
976*f0865ec9SKyle Evans /* Y1 */
977*f0865ec9SKyle Evans ret = prj_pt_init_from_coords(Y1, &(params->ec_curve), &(uG.Z), &(uG.X), &(Y2->Z)); EG(ret, err);
978*f0865ec9SKyle Evans /* Y2 */
979*f0865ec9SKyle Evans ret = prj_pt_init_from_coords(Y2, &(params->ec_curve), &(uG.Z), &(uG.Y), &(Y1->Z)); EG(ret, err);
980*f0865ec9SKyle Evans
981*f0865ec9SKyle Evans /* Now compute u = (-e r^-1) mod q, and v = (s r^-1) mod q */
982*f0865ec9SKyle Evans ret = nn_init(&u, 0); EG(ret, err);
983*f0865ec9SKyle Evans ret = nn_init(&v, 0); EG(ret, err);
984*f0865ec9SKyle Evans ret = nn_modinv(&r, &r, q); EG(ret, err);
985*f0865ec9SKyle Evans /* u */
986*f0865ec9SKyle Evans ret = nn_mod_mul(&u, &e, &r, q); EG(ret, err);
987*f0865ec9SKyle Evans /* NOTE: -x mod q is (q - x) mod q, i.e. (q - x) when x is reduced, except for 0 */
988*f0865ec9SKyle Evans ret = nn_mod_neg(&u, &u, q); EG(ret, err);
989*f0865ec9SKyle Evans /* v */
990*f0865ec9SKyle Evans ret = nn_mod_mul(&v, &s, &r, q); EG(ret, err);
991*f0865ec9SKyle Evans
992*f0865ec9SKyle Evans /* Compute uG */
993*f0865ec9SKyle Evans ret = prj_pt_mul(&uG, &u, G); EG(ret, err);
994*f0865ec9SKyle Evans /* Compute vR1 and possible Y1 */
995*f0865ec9SKyle Evans ret = prj_pt_mul(Y1, &v, Y1); EG(ret, err);
996*f0865ec9SKyle Evans ret = prj_pt_add(Y1, Y1, &uG); EG(ret, err);
997*f0865ec9SKyle Evans /* Compute vR2 and possible Y2 */
998*f0865ec9SKyle Evans ret = prj_pt_mul(Y2, &v, Y2); EG(ret, err);
999*f0865ec9SKyle Evans ret = prj_pt_add(Y2, Y2, &uG); EG(ret, err);
1000*f0865ec9SKyle Evans
1001*f0865ec9SKyle Evans /* Now initialize our two public keys */
1002*f0865ec9SKyle Evans /* out_pub1 */
1003*f0865ec9SKyle Evans out_pub1->key_type = key_type;
1004*f0865ec9SKyle Evans out_pub1->params = params;
1005*f0865ec9SKyle Evans out_pub1->magic = PUB_KEY_MAGIC;
1006*f0865ec9SKyle Evans /* out_pub2 */
1007*f0865ec9SKyle Evans out_pub2->key_type = key_type;
1008*f0865ec9SKyle Evans out_pub2->params = params;
1009*f0865ec9SKyle Evans out_pub2->magic = PUB_KEY_MAGIC;
1010*f0865ec9SKyle Evans
1011*f0865ec9SKyle Evans ret = 0;
1012*f0865ec9SKyle Evans
1013*f0865ec9SKyle Evans err:
1014*f0865ec9SKyle Evans prj_pt_uninit(&uG);
1015*f0865ec9SKyle Evans nn_uninit(&r);
1016*f0865ec9SKyle Evans nn_uninit(&s);
1017*f0865ec9SKyle Evans nn_uninit(&u);
1018*f0865ec9SKyle Evans nn_uninit(&v);
1019*f0865ec9SKyle Evans nn_uninit(&e);
1020*f0865ec9SKyle Evans
1021*f0865ec9SKyle Evans /* Clean what remains on the stack */
1022*f0865ec9SKyle Evans PTR_NULLIFY(G);
1023*f0865ec9SKyle Evans PTR_NULLIFY(Y1);
1024*f0865ec9SKyle Evans PTR_NULLIFY(Y2);
1025*f0865ec9SKyle Evans VAR_ZEROIFY(rshift);
1026*f0865ec9SKyle Evans VAR_ZEROIFY(q_bit_len);
1027*f0865ec9SKyle Evans PTR_NULLIFY(q);
1028*f0865ec9SKyle Evans PTR_NULLIFY(p);
1029*f0865ec9SKyle Evans
1030*f0865ec9SKyle Evans return ret;
1031*f0865ec9SKyle Evans }
1032*f0865ec9SKyle Evans
1033*f0865ec9SKyle Evans #else /* defined(WITH_SIG_ECDSA) || defined(WITH_SIG_DECDSA) */
1034*f0865ec9SKyle Evans
1035*f0865ec9SKyle Evans /*
1036*f0865ec9SKyle Evans * Dummy definition to avoid the empty translation unit ISO C warning
1037*f0865ec9SKyle Evans */
1038*f0865ec9SKyle Evans typedef int dummy;
1039*f0865ec9SKyle Evans #endif /* WITH_SIG_ECDSA */
1040