/src/openssl/crypto/ec/ecdsa_ossl.c

Source (jump to first uncovered line)
/*
 * Copyright 2002-2024 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

/*
 * ECDSA low level APIs are deprecated for public use, but still ok for
 * internal use.
 */
#include "internal/deprecated.h"

#include <string.h>
#include <openssl/err.h>
#include <openssl/obj_mac.h>
#include <openssl/rand.h>
#include "crypto/bn.h"
#include "ec_local.h"
#include "internal/deterministic_nonce.h"

#define MIN_ECDSA_SIGN_ORDERBITS 64
/*
 * It is highly unlikely that a retry will happen,
 * Multiple retries would indicate that something is wrong
 * with the group parameters (which would normally only happen
 * with a bad custom group).
 */
#define MAX_ECDSA_SIGN_RETRIES 8

static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in,
                            BIGNUM **kinvp, BIGNUM **rp,
                            const unsigned char *dgst, int dlen,
                            unsigned int nonce_type, const char *digestname,
                            OSSL_LIB_CTX *libctx, const char *propq);

int ossl_ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp,
                          BIGNUM **rp)
{
    if (eckey->group->meth->ecdsa_sign_setup == NULL) {
        ERR_raise(ERR_LIB_EC, EC_R_CURVE_DOES_NOT_SUPPORT_ECDSA);
        return 0;
    }

    return eckey->group->meth->ecdsa_sign_setup(eckey, ctx_in, kinvp, rp);
}

ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len,
                               const BIGNUM *in_kinv, const BIGNUM *in_r,
                               EC_KEY *eckey)
{
    if (eckey->group->meth->ecdsa_sign_sig == NULL) {
        ERR_raise(ERR_LIB_EC, EC_R_CURVE_DOES_NOT_SUPPORT_ECDSA);
        return NULL;
    }

    return eckey->group->meth->ecdsa_sign_sig(dgst, dgst_len,
                                              in_kinv, in_r, eckey);
}

int ossl_ecdsa_verify_sig(const unsigned char *dgst, int dgst_len,
                          const ECDSA_SIG *sig, EC_KEY *eckey)
{
    if (eckey->group->meth->ecdsa_verify_sig == NULL) {
        ERR_raise(ERR_LIB_EC, EC_R_CURVE_DOES_NOT_SUPPORT_ECDSA);
        return 0;
    }

    return eckey->group->meth->ecdsa_verify_sig(dgst, dgst_len, sig, eckey);
}

int ossl_ecdsa_sign(int type, const unsigned char *dgst, int dlen,
                    unsigned char *sig, unsigned int *siglen,
                    const BIGNUM *kinv, const BIGNUM *r, EC_KEY *eckey)
{
    ECDSA_SIG *s;

    if (sig == NULL && (kinv == NULL || r == NULL)) {
        *siglen = ECDSA_size(eckey);
        return 1;
    }

    s = ECDSA_do_sign_ex(dgst, dlen, kinv, r, eckey);
    if (s == NULL) {
        *siglen = 0;
        return 0;
    }
    *siglen = i2d_ECDSA_SIG(s, sig != NULL ? &sig : NULL);
    ECDSA_SIG_free(s);
    return 1;
}

int ossl_ecdsa_deterministic_sign(const unsigned char *dgst, int dlen,
                                  unsigned char *sig, unsigned int *siglen,
                                  EC_KEY *eckey, unsigned int nonce_type,
                                  const char *digestname,
                                  OSSL_LIB_CTX *libctx, const char *propq)
{
    ECDSA_SIG *s;
    BIGNUM *kinv = NULL, *r = NULL;
    int ret = 0;

    if (sig == NULL) {
        ERR_raise(ERR_LIB_EC, ERR_R_PASSED_NULL_PARAMETER);
        return 0;
    }
    if (digestname == NULL) {
        ERR_raise(ERR_LIB_EC, EC_R_INVALID_DIGEST);
        return 0;
    }

    *siglen = 0;
    if (!ecdsa_sign_setup(eckey, NULL, &kinv, &r, dgst, dlen,
                          nonce_type, digestname, libctx, propq))
        return 0;

    s = ECDSA_do_sign_ex(dgst, dlen, kinv, r, eckey);
    if (s == NULL)
        goto end;

    *siglen = i2d_ECDSA_SIG(s, &sig);
    ECDSA_SIG_free(s);
    ret = 1;
end:
    BN_clear_free(kinv);
    BN_clear_free(r);
    return ret;
}

static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in,
                            BIGNUM **kinvp, BIGNUM **rp,
                            const unsigned char *dgst, int dlen,
                            unsigned int nonce_type, const char *digestname,
                            OSSL_LIB_CTX *libctx, const char *propq)
{
    BN_CTX *ctx = NULL;
    BIGNUM *k = NULL, *r = NULL, *X = NULL;
    const BIGNUM *order;
    EC_POINT *tmp_point = NULL;
    const EC_GROUP *group;
    int ret = 0;
    int order_bits;
    const BIGNUM *priv_key;

    if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL) {
        ERR_raise(ERR_LIB_EC, ERR_R_PASSED_NULL_PARAMETER);
        return 0;
    }
    if ((priv_key = EC_KEY_get0_private_key(eckey)) == NULL) {
        ERR_raise(ERR_LIB_EC, EC_R_MISSING_PRIVATE_KEY);
        return 0;
    }

    if (!EC_KEY_can_sign(eckey)) {
        ERR_raise(ERR_LIB_EC, EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING);
        return 0;
    }

    if ((ctx = ctx_in) == NULL) {
        if ((ctx = BN_CTX_new_ex(eckey->libctx)) == NULL) {
            ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
            return 0;
        }
    }

    k = BN_secure_new();        /* this value is later returned in *kinvp */
    r = BN_new();               /* this value is later returned in *rp */
    X = BN_new();
    if (k == NULL || r == NULL || X == NULL) {
        ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
        goto err;
    }
    if ((tmp_point = EC_POINT_new(group)) == NULL) {
        ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB);
        goto err;
    }

    if ((order = EC_GROUP_get0_order(group)) == NULL) {
        ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB);
        goto err;
    }

    /* Preallocate space */
    order_bits = BN_num_bits(order);
    /* Check the number of bits here so that an infinite loop is not possible */
    if (order_bits < MIN_ECDSA_SIGN_ORDERBITS
        || !BN_set_bit(k, order_bits)
        || !BN_set_bit(r, order_bits)
        || !BN_set_bit(X, order_bits))
        goto err;

    do {
        /* get random or deterministic value of k */
        do {
            int res = 0;

            if (dgst != NULL) {
                if (nonce_type == 1) {
#ifndef FIPS_MODULE
                    res = ossl_gen_deterministic_nonce_rfc6979(k, order,
                                                               priv_key,
                                                               dgst, dlen,
                                                               digestname,
                                                               libctx, propq);
#endif
                } else {
                    res = ossl_bn_gen_dsa_nonce_fixed_top(k, order, priv_key,
                                                          dgst, dlen, ctx);
                }
            } else {
                res = ossl_bn_priv_rand_range_fixed_top(k, order, 0, ctx);
            }
            if (!res) {
                ERR_raise(ERR_LIB_EC, EC_R_RANDOM_NUMBER_GENERATION_FAILED);
                goto err;
            }
        } while (ossl_bn_is_word_fixed_top(k, 0));

        /* compute r the x-coordinate of generator * k */
        if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx)) {
            ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB);
            goto err;
        }

        if (!EC_POINT_get_affine_coordinates(group, tmp_point, X, NULL, ctx)) {
            ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB);
            goto err;
        }

        if (!BN_nnmod(r, X, order, ctx)) {
            ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
            goto err;
        }
    } while (BN_is_zero(r));

    /* compute the inverse of k */
    if (!ossl_ec_group_do_inverse_ord(group, k, k, ctx)) {
        ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
        goto err;
    }

    /* clear old values if necessary */
    BN_clear_free(*rp);
    BN_clear_free(*kinvp);
    /* save the pre-computed values  */
    *rp = r;
    *kinvp = k;
    ret = 1;
 err:
    if (!ret) {
        BN_clear_free(k);
        BN_clear_free(r);
    }
    if (ctx != ctx_in)
        BN_CTX_free(ctx);
    EC_POINT_free(tmp_point);
    BN_clear_free(X);
    return ret;
}

int ossl_ecdsa_simple_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp,
                                 BIGNUM **rp)
{
    return ecdsa_sign_setup(eckey, ctx_in, kinvp, rp, NULL, 0,
                            0, NULL, NULL, NULL);
}

ECDSA_SIG *ossl_ecdsa_simple_sign_sig(const unsigned char *dgst, int dgst_len,
                                      const BIGNUM *in_kinv, const BIGNUM *in_r,
                                      EC_KEY *eckey)
{
    int ok = 0, i;
    int retries = 0;
    BIGNUM *kinv = NULL, *s, *m = NULL;
    const BIGNUM *order, *ckinv;
    BN_CTX *ctx = NULL;
    const EC_GROUP *group;
    ECDSA_SIG *ret;
    const BIGNUM *priv_key;

    group = EC_KEY_get0_group(eckey);
    priv_key = EC_KEY_get0_private_key(eckey);

    if (group == NULL) {
        ERR_raise(ERR_LIB_EC, ERR_R_PASSED_NULL_PARAMETER);
        return NULL;
    }
    if (priv_key == NULL) {
        ERR_raise(ERR_LIB_EC, EC_R_MISSING_PRIVATE_KEY);
        return NULL;
    }

    if (!EC_KEY_can_sign(eckey)) {
        ERR_raise(ERR_LIB_EC, EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING);
        return NULL;
    }

    ret = ECDSA_SIG_new();
    if (ret == NULL) {
        ERR_raise(ERR_LIB_EC, ERR_R_ECDSA_LIB);
        return NULL;
    }
    ret->r = BN_new();
    ret->s = BN_new();
    if (ret->r == NULL || ret->s == NULL) {
        ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
        goto err;
    }
    s = ret->s;

    if ((ctx = BN_CTX_new_ex(eckey->libctx)) == NULL
        || (m = BN_new()) == NULL) {
        ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
        goto err;
    }

    if ((order = EC_GROUP_get0_order(group)) == NULL) {
        ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB);
        goto err;
    }

    i = BN_num_bits(order);
    /*
     * Need to truncate digest if it is too long: first truncate whole bytes.
     */
    if (8 * dgst_len > i)
        dgst_len = (i + 7) / 8;
    if (!BN_bin2bn(dgst, dgst_len, m)) {
        ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
        goto err;
    }
    /* If still too long, truncate remaining bits with a shift */
    if ((8 * dgst_len > i) && !BN_rshift(m, m, 8 - (i & 0x7))) {
        ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
        goto err;
    }
    do {
        if (in_kinv == NULL || in_r == NULL) {
            if (!ecdsa_sign_setup(eckey, ctx, &kinv, &ret->r, dgst, dgst_len,
                                  0, NULL, NULL, NULL)) {
                ERR_raise(ERR_LIB_EC, ERR_R_ECDSA_LIB);
                goto err;
            }
            ckinv = kinv;
        } else {
            ckinv = in_kinv;
            if (BN_copy(ret->r, in_r) == NULL) {
                ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
                goto err;
            }
        }

        /*
         * With only one multiplicant being in Montgomery domain
         * multiplication yields real result without post-conversion.
         * Also note that all operations but last are performed with
         * zero-padded vectors. Last operation, BN_mod_mul_montgomery
         * below, returns user-visible value with removed zero padding.
         */
        if (!bn_to_mont_fixed_top(s, ret->r, group->mont_data, ctx)
            || !bn_mul_mont_fixed_top(s, s, priv_key, group->mont_data, ctx)) {
            ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
            goto err;
        }
        if (!bn_mod_add_fixed_top(s, s, m, order)) {
            ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
            goto err;
        }
        /*
         * |s| can still be larger than modulus, because |m| can be. In
         * such case we count on Montgomery reduction to tie it up.
         */
        if (!bn_to_mont_fixed_top(s, s, group->mont_data, ctx)
            || !BN_mod_mul_montgomery(s, s, ckinv, group->mont_data, ctx)) {
            ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
            goto err;
        }

        if (BN_is_zero(s)) {
            /*
             * if kinv and r have been supplied by the caller, don't
             * generate new kinv and r values
             */
            if (in_kinv != NULL && in_r != NULL) {
                ERR_raise(ERR_LIB_EC, EC_R_NEED_NEW_SETUP_VALUES);
                goto err;
            }
            /* Avoid infinite loops cause by invalid group parameters */
            if (retries++ > MAX_ECDSA_SIGN_RETRIES) {
                ERR_raise(ERR_LIB_EC, EC_R_TOO_MANY_RETRIES);
                goto err;
            }
        } else {
            /* s != 0 => we have a valid signature */
            break;
        }
    } while (1);

    ok = 1;
 err:
    if (!ok) {
        ECDSA_SIG_free(ret);
        ret = NULL;
    }
    BN_CTX_free(ctx);
    BN_clear_free(m);
    BN_clear_free(kinv);
    return ret;
}

/*-
 * returns
 *      1: correct signature
 *      0: incorrect signature
 *     -1: error
 */
int ossl_ecdsa_verify(int type, const unsigned char *dgst, int dgst_len,
                      const unsigned char *sigbuf, int sig_len, EC_KEY *eckey)
{
    ECDSA_SIG *s;
    const unsigned char *p = sigbuf;
    unsigned char *der = NULL;
    int derlen = -1;
    int ret = -1;

    s = ECDSA_SIG_new();
    if (s == NULL)
        return ret;
    if (d2i_ECDSA_SIG(&s, &p, sig_len) == NULL)
        goto err;
    /* Ensure signature uses DER and doesn't have trailing garbage */
    derlen = i2d_ECDSA_SIG(s, &der);
    if (derlen != sig_len || memcmp(sigbuf, der, derlen) != 0)
        goto err;
    ret = ECDSA_do_verify(dgst, dgst_len, s, eckey);
 err:
    OPENSSL_free(der);
    ECDSA_SIG_free(s);
    return ret;
}

int ossl_ecdsa_simple_verify_sig(const unsigned char *dgst, int dgst_len,
                                 const ECDSA_SIG *sig, EC_KEY *eckey)
{
    int ret = -1, i;
    BN_CTX *ctx;
    const BIGNUM *order;
    BIGNUM *u1, *u2, *m, *X;
    EC_POINT *point = NULL;
    const EC_GROUP *group;
    const EC_POINT *pub_key;

    /* check input values */
    if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL ||
        (pub_key = EC_KEY_get0_public_key(eckey)) == NULL || sig == NULL) {
        ERR_raise(ERR_LIB_EC, EC_R_MISSING_PARAMETERS);
        return -1;
    }

    if (!EC_KEY_can_sign(eckey)) {
        ERR_raise(ERR_LIB_EC, EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING);
        return -1;
    }

    ctx = BN_CTX_new_ex(eckey->libctx);
    if (ctx == NULL) {
        ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
        return -1;
    }
    BN_CTX_start(ctx);
    u1 = BN_CTX_get(ctx);
    u2 = BN_CTX_get(ctx);
    m = BN_CTX_get(ctx);
    X = BN_CTX_get(ctx);
    if (X == NULL) {
        ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
        goto err;
    }

    order = EC_GROUP_get0_order(group);
    if (order == NULL) {
        ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB);
        goto err;
    }

    if (BN_is_zero(sig->r) || BN_is_negative(sig->r) ||
        BN_ucmp(sig->r, order) >= 0 || BN_is_zero(sig->s) ||
        BN_is_negative(sig->s) || BN_ucmp(sig->s, order) >= 0) {
        ERR_raise(ERR_LIB_EC, EC_R_BAD_SIGNATURE);
        ret = 0;                /* signature is invalid */
        goto err;
    }
    /* calculate tmp1 = inv(S) mod order */
    if (!ossl_ec_group_do_inverse_ord(group, u2, sig->s, ctx)) {
        ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
        goto err;
    }
    /* digest -> m */
    i = BN_num_bits(order);
    /*
     * Need to truncate digest if it is too long: first truncate whole bytes.
     */
    if (8 * dgst_len > i)
        dgst_len = (i + 7) / 8;
    if (!BN_bin2bn(dgst, dgst_len, m)) {
        ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
        goto err;
    }
    /* If still too long truncate remaining bits with a shift */
    if ((8 * dgst_len > i) && !BN_rshift(m, m, 8 - (i & 0x7))) {
        ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
        goto err;
    }
    /* u1 = m * tmp mod order */
    if (!BN_mod_mul(u1, m, u2, order, ctx)) {
        ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
        goto err;
    }
    /* u2 = r * w mod q */
    if (!BN_mod_mul(u2, sig->r, u2, order, ctx)) {
        ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
        goto err;
    }

    if ((point = EC_POINT_new(group)) == NULL) {
        ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB);
        goto err;
    }
    if (!EC_POINT_mul(group, point, u1, pub_key, u2, ctx)) {
        ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB);
        goto err;
    }

    if (!EC_POINT_get_affine_coordinates(group, point, X, NULL, ctx)) {
        ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB);
        goto err;
    }

    if (!BN_nnmod(u1, X, order, ctx)) {
        ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
        goto err;
    }
    /*  if the signature is correct u1 is equal to sig->r */
    ret = (BN_ucmp(u1, sig->r) == 0);
 err:
    BN_CTX_end(ctx);
    BN_CTX_free(ctx);
    EC_POINT_free(point);
    return ret;
}

Coverage Report

Created: 2025-06-13 06:55

Line	Count	Source (jump to first uncovered line)
1		/*
2		* Copyright 2002-2024 The OpenSSL Project Authors. All Rights Reserved.
3		*
4		* Licensed under the Apache License 2.0 (the "License"). You may not use
5		* this file except in compliance with the License. You can obtain a copy
6		* in the file LICENSE in the source distribution or at
7		* https://www.openssl.org/source/license.html
8		*/
9
10		/*
11		* ECDSA low level APIs are deprecated for public use, but still ok for
12		* internal use.
13		*/
14		#include "internal/deprecated.h"
15
16		#include <string.h>
17		#include <openssl/err.h>
18		#include <openssl/obj_mac.h>
19		#include <openssl/rand.h>
20		#include "crypto/bn.h"
21		#include "ec_local.h"
22		#include "internal/deterministic_nonce.h"
23
24	0	#define MIN_ECDSA_SIGN_ORDERBITS 64
25		/*
26		* It is highly unlikely that a retry will happen,
27		* Multiple retries would indicate that something is wrong
28		* with the group parameters (which would normally only happen
29		* with a bad custom group).
30		*/
31	0	#define MAX_ECDSA_SIGN_RETRIES 8
32
33		static int ecdsa_sign_setup(EC_KEY eckey, BN_CTX ctx_in,
34		BIGNUM kinvp, BIGNUM rp,
35		const unsigned char *dgst, int dlen,
36		unsigned int nonce_type, const char *digestname,
37		OSSL_LIB_CTX libctx, const char propq);
38
39		int ossl_ecdsa_sign_setup(EC_KEY eckey, BN_CTX ctx_in, BIGNUM **kinvp,
40		BIGNUM **rp)
41	0	{
42	0	if (eckey->group->meth->ecdsa_sign_setup == NULL) {
43	0	ERR_raise(ERR_LIB_EC, EC_R_CURVE_DOES_NOT_SUPPORT_ECDSA);
44	0	return 0;
45	0	}
46
47	0	return eckey->group->meth->ecdsa_sign_setup(eckey, ctx_in, kinvp, rp);
48	0	}
49
50		ECDSA_SIG ossl_ecdsa_sign_sig(const unsigned char dgst, int dgst_len,
51		const BIGNUM in_kinv, const BIGNUM in_r,
52		EC_KEY *eckey)
53	0	{
54	0	if (eckey->group->meth->ecdsa_sign_sig == NULL) {
55	0	ERR_raise(ERR_LIB_EC, EC_R_CURVE_DOES_NOT_SUPPORT_ECDSA);
56	0	return NULL;
57	0	}
58
59	0	return eckey->group->meth->ecdsa_sign_sig(dgst, dgst_len,
60	0	in_kinv, in_r, eckey);
61	0	}
62
63		int ossl_ecdsa_verify_sig(const unsigned char *dgst, int dgst_len,
64		const ECDSA_SIG sig, EC_KEY eckey)
65	0	{
66	0	if (eckey->group->meth->ecdsa_verify_sig == NULL) {
67	0	ERR_raise(ERR_LIB_EC, EC_R_CURVE_DOES_NOT_SUPPORT_ECDSA);
68	0	return 0;
69	0	}
70
71	0	return eckey->group->meth->ecdsa_verify_sig(dgst, dgst_len, sig, eckey);
72	0	}
73
74		int ossl_ecdsa_sign(int type, const unsigned char *dgst, int dlen,
75		unsigned char sig, unsigned int siglen,
76		const BIGNUM kinv, const BIGNUM r, EC_KEY *eckey)
77	0	{
78	0	ECDSA_SIG *s;
79
80	0	if (sig == NULL && (kinv == NULL \|\| r == NULL)) {
81	0	*siglen = ECDSA_size(eckey);
82	0	return 1;
83	0	}
84
85	0	s = ECDSA_do_sign_ex(dgst, dlen, kinv, r, eckey);
86	0	if (s == NULL) {
87	0	*siglen = 0;
88	0	return 0;
89	0	}
90	0	*siglen = i2d_ECDSA_SIG(s, sig != NULL ? &sig : NULL);
91	0	ECDSA_SIG_free(s);
92	0	return 1;
93	0	}
94
95		int ossl_ecdsa_deterministic_sign(const unsigned char *dgst, int dlen,
96		unsigned char sig, unsigned int siglen,
97		EC_KEY *eckey, unsigned int nonce_type,
98		const char *digestname,
99		OSSL_LIB_CTX libctx, const char propq)
100	0	{
101	0	ECDSA_SIG *s;
102	0	BIGNUM kinv = NULL, r = NULL;
103	0	int ret = 0;
104
105	0	if (sig == NULL) {
106	0	ERR_raise(ERR_LIB_EC, ERR_R_PASSED_NULL_PARAMETER);
107	0	return 0;
108	0	}
109	0	if (digestname == NULL) {
110	0	ERR_raise(ERR_LIB_EC, EC_R_INVALID_DIGEST);
111	0	return 0;
112	0	}
113
114	0	*siglen = 0;
115	0	if (!ecdsa_sign_setup(eckey, NULL, &kinv, &r, dgst, dlen,
116	0	nonce_type, digestname, libctx, propq))
117	0	return 0;
118
119	0	s = ECDSA_do_sign_ex(dgst, dlen, kinv, r, eckey);
120	0	if (s == NULL)
121	0	goto end;
122
123	0	*siglen = i2d_ECDSA_SIG(s, &sig);
124	0	ECDSA_SIG_free(s);
125	0	ret = 1;
126	0	end:
127	0	BN_clear_free(kinv);
128	0	BN_clear_free(r);
129	0	return ret;
130	0	}
131
132		static int ecdsa_sign_setup(EC_KEY eckey, BN_CTX ctx_in,
133		BIGNUM kinvp, BIGNUM rp,
134		const unsigned char *dgst, int dlen,
135		unsigned int nonce_type, const char *digestname,
136		OSSL_LIB_CTX libctx, const char propq)
137	0	{
138	0	BN_CTX *ctx = NULL;
139	0	BIGNUM k = NULL, r = NULL, *X = NULL;
140	0	const BIGNUM *order;
141	0	EC_POINT *tmp_point = NULL;
142	0	const EC_GROUP *group;
143	0	int ret = 0;
144	0	int order_bits;
145	0	const BIGNUM *priv_key;
146
147	0	if (eckey == NULL \|\| (group = EC_KEY_get0_group(eckey)) == NULL) {
148	0	ERR_raise(ERR_LIB_EC, ERR_R_PASSED_NULL_PARAMETER);
149	0	return 0;
150	0	}
151	0	if ((priv_key = EC_KEY_get0_private_key(eckey)) == NULL) {
152	0	ERR_raise(ERR_LIB_EC, EC_R_MISSING_PRIVATE_KEY);
153	0	return 0;
154	0	}
155
156	0	if (!EC_KEY_can_sign(eckey)) {
157	0	ERR_raise(ERR_LIB_EC, EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING);
158	0	return 0;
159	0	}
160
161	0	if ((ctx = ctx_in) == NULL) {
162	0	if ((ctx = BN_CTX_new_ex(eckey->libctx)) == NULL) {
163	0	ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
164	0	return 0;
165	0	}
166	0	}
167
168	0	k = BN_secure_new(); /* this value is later returned in kinvp /
169	0	r = BN_new(); /* this value is later returned in rp /
170	0	X = BN_new();
171	0	if (k == NULL \|\| r == NULL \|\| X == NULL) {
172	0	ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
173	0	goto err;
174	0	}
175	0	if ((tmp_point = EC_POINT_new(group)) == NULL) {
176	0	ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB);
177	0	goto err;
178	0	}
179
180	0	if ((order = EC_GROUP_get0_order(group)) == NULL) {
181	0	ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB);
182	0	goto err;
183	0	}
184
185		/* Preallocate space */
186	0	order_bits = BN_num_bits(order);
187		/* Check the number of bits here so that an infinite loop is not possible */
188	0	if (order_bits < MIN_ECDSA_SIGN_ORDERBITS
189	0	\|\| !BN_set_bit(k, order_bits)
190	0	\|\| !BN_set_bit(r, order_bits)
191	0	\|\| !BN_set_bit(X, order_bits))
192	0	goto err;
193
194	0	do {
195		/* get random or deterministic value of k */
196	0	do {
197	0	int res = 0;
198
199	0	if (dgst != NULL) {
200	0	if (nonce_type == 1) {
201	0	#ifndef FIPS_MODULE
202	0	res = ossl_gen_deterministic_nonce_rfc6979(k, order,
203	0	priv_key,
204	0	dgst, dlen,
205	0	digestname,
206	0	libctx, propq);
207	0	#endif
208	0	} else {
209	0	res = ossl_bn_gen_dsa_nonce_fixed_top(k, order, priv_key,
210	0	dgst, dlen, ctx);
211	0	}
212	0	} else {
213	0	res = ossl_bn_priv_rand_range_fixed_top(k, order, 0, ctx);
214	0	}
215	0	if (!res) {
216	0	ERR_raise(ERR_LIB_EC, EC_R_RANDOM_NUMBER_GENERATION_FAILED);
217	0	goto err;
218	0	}
219	0	} while (ossl_bn_is_word_fixed_top(k, 0));
220
221		/* compute r the x-coordinate of generator * k */
222	0	if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx)) {
223	0	ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB);
224	0	goto err;
225	0	}
226
227	0	if (!EC_POINT_get_affine_coordinates(group, tmp_point, X, NULL, ctx)) {
228	0	ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB);
229	0	goto err;
230	0	}
231
232	0	if (!BN_nnmod(r, X, order, ctx)) {
233	0	ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
234	0	goto err;
235	0	}
236	0	} while (BN_is_zero(r));
237
238		/* compute the inverse of k */
239	0	if (!ossl_ec_group_do_inverse_ord(group, k, k, ctx)) {
240	0	ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
241	0	goto err;
242	0	}
243
244		/* clear old values if necessary */
245	0	BN_clear_free(*rp);
246	0	BN_clear_free(*kinvp);
247		/* save the pre-computed values */
248	0	*rp = r;
249	0	*kinvp = k;
250	0	ret = 1;
251	0	err:
252	0	if (!ret) {
253	0	BN_clear_free(k);
254	0	BN_clear_free(r);
255	0	}
256	0	if (ctx != ctx_in)
257	0	BN_CTX_free(ctx);
258	0	EC_POINT_free(tmp_point);
259	0	BN_clear_free(X);
260	0	return ret;
261	0	}
262
263		int ossl_ecdsa_simple_sign_setup(EC_KEY eckey, BN_CTX ctx_in, BIGNUM **kinvp,
264		BIGNUM **rp)
265	0	{
266	0	return ecdsa_sign_setup(eckey, ctx_in, kinvp, rp, NULL, 0,
267	0	0, NULL, NULL, NULL);
268	0	}
269
270		ECDSA_SIG ossl_ecdsa_simple_sign_sig(const unsigned char dgst, int dgst_len,
271		const BIGNUM in_kinv, const BIGNUM in_r,
272		EC_KEY *eckey)
273	0	{
274	0	int ok = 0, i;
275	0	int retries = 0;
276	0	BIGNUM kinv = NULL, s, *m = NULL;
277	0	const BIGNUM order, ckinv;
278	0	BN_CTX *ctx = NULL;
279	0	const EC_GROUP *group;
280	0	ECDSA_SIG *ret;
281	0	const BIGNUM *priv_key;
282
283	0	group = EC_KEY_get0_group(eckey);
284	0	priv_key = EC_KEY_get0_private_key(eckey);
285
286	0	if (group == NULL) {
287	0	ERR_raise(ERR_LIB_EC, ERR_R_PASSED_NULL_PARAMETER);
288	0	return NULL;
289	0	}
290	0	if (priv_key == NULL) {
291	0	ERR_raise(ERR_LIB_EC, EC_R_MISSING_PRIVATE_KEY);
292	0	return NULL;
293	0	}
294
295	0	if (!EC_KEY_can_sign(eckey)) {
296	0	ERR_raise(ERR_LIB_EC, EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING);
297	0	return NULL;
298	0	}
299
300	0	ret = ECDSA_SIG_new();
301	0	if (ret == NULL) {
302	0	ERR_raise(ERR_LIB_EC, ERR_R_ECDSA_LIB);
303	0	return NULL;
304	0	}
305	0	ret->r = BN_new();
306	0	ret->s = BN_new();
307	0	if (ret->r == NULL \|\| ret->s == NULL) {
308	0	ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
309	0	goto err;
310	0	}
311	0	s = ret->s;
312
313	0	if ((ctx = BN_CTX_new_ex(eckey->libctx)) == NULL
314	0	\|\| (m = BN_new()) == NULL) {
315	0	ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
316	0	goto err;
317	0	}
318
319	0	if ((order = EC_GROUP_get0_order(group)) == NULL) {
320	0	ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB);
321	0	goto err;
322	0	}
323
324	0	i = BN_num_bits(order);
325		/*
326		* Need to truncate digest if it is too long: first truncate whole bytes.
327		*/
328	0	if (8 * dgst_len > i)
329	0	dgst_len = (i + 7) / 8;
330	0	if (!BN_bin2bn(dgst, dgst_len, m)) {
331	0	ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
332	0	goto err;
333	0	}
334		/* If still too long, truncate remaining bits with a shift */
335	0	if ((8 * dgst_len > i) && !BN_rshift(m, m, 8 - (i & 0x7))) {
336	0	ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
337	0	goto err;
338	0	}
339	0	do {
340	0	if (in_kinv == NULL \|\| in_r == NULL) {
341	0	if (!ecdsa_sign_setup(eckey, ctx, &kinv, &ret->r, dgst, dgst_len,
342	0	0, NULL, NULL, NULL)) {
343	0	ERR_raise(ERR_LIB_EC, ERR_R_ECDSA_LIB);
344	0	goto err;
345	0	}
346	0	ckinv = kinv;
347	0	} else {
348	0	ckinv = in_kinv;
349	0	if (BN_copy(ret->r, in_r) == NULL) {
350	0	ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
351	0	goto err;
352	0	}
353	0	}
354
355		/*
356		* With only one multiplicant being in Montgomery domain
357		* multiplication yields real result without post-conversion.
358		* Also note that all operations but last are performed with
359		* zero-padded vectors. Last operation, BN_mod_mul_montgomery
360		* below, returns user-visible value with removed zero padding.
361		*/
362	0	if (!bn_to_mont_fixed_top(s, ret->r, group->mont_data, ctx)
363	0	\|\| !bn_mul_mont_fixed_top(s, s, priv_key, group->mont_data, ctx)) {
364	0	ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
365	0	goto err;
366	0	}
367	0	if (!bn_mod_add_fixed_top(s, s, m, order)) {
368	0	ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
369	0	goto err;
370	0	}
371		/*
372		* \|s\| can still be larger than modulus, because \|m\| can be. In
373		* such case we count on Montgomery reduction to tie it up.
374		*/
375	0	if (!bn_to_mont_fixed_top(s, s, group->mont_data, ctx)
376	0	\|\| !BN_mod_mul_montgomery(s, s, ckinv, group->mont_data, ctx)) {
377	0	ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
378	0	goto err;
379	0	}
380
381	0	if (BN_is_zero(s)) {
382		/*
383		* if kinv and r have been supplied by the caller, don't
384		* generate new kinv and r values
385		*/
386	0	if (in_kinv != NULL && in_r != NULL) {
387	0	ERR_raise(ERR_LIB_EC, EC_R_NEED_NEW_SETUP_VALUES);
388	0	goto err;
389	0	}
390		/* Avoid infinite loops cause by invalid group parameters */
391	0	if (retries++ > MAX_ECDSA_SIGN_RETRIES) {
392	0	ERR_raise(ERR_LIB_EC, EC_R_TOO_MANY_RETRIES);
393	0	goto err;
394	0	}
395	0	} else {
396		/* s != 0 => we have a valid signature */
397	0	break;
398	0	}
399	0	} while (1);
400
401	0	ok = 1;
402	0	err:
403	0	if (!ok) {
404	0	ECDSA_SIG_free(ret);
405	0	ret = NULL;
406	0	}
407	0	BN_CTX_free(ctx);
408	0	BN_clear_free(m);
409	0	BN_clear_free(kinv);
410	0	return ret;
411	0	}
412
413		/*-
414		* returns
415		* 1: correct signature
416		* 0: incorrect signature
417		* -1: error
418		*/
419		int ossl_ecdsa_verify(int type, const unsigned char *dgst, int dgst_len,
420		const unsigned char sigbuf, int sig_len, EC_KEY eckey)
421	0	{
422	0	ECDSA_SIG *s;
423	0	const unsigned char *p = sigbuf;
424	0	unsigned char *der = NULL;
425	0	int derlen = -1;
426	0	int ret = -1;
427
428	0	s = ECDSA_SIG_new();
429	0	if (s == NULL)
430	0	return ret;
431	0	if (d2i_ECDSA_SIG(&s, &p, sig_len) == NULL)
432	0	goto err;
433		/* Ensure signature uses DER and doesn't have trailing garbage */
434	0	derlen = i2d_ECDSA_SIG(s, &der);
435	0	if (derlen != sig_len \|\| memcmp(sigbuf, der, derlen) != 0)
436	0	goto err;
437	0	ret = ECDSA_do_verify(dgst, dgst_len, s, eckey);
438	0	err:
439	0	OPENSSL_free(der);
440	0	ECDSA_SIG_free(s);
441	0	return ret;
442	0	}
443
444		int ossl_ecdsa_simple_verify_sig(const unsigned char *dgst, int dgst_len,
445		const ECDSA_SIG sig, EC_KEY eckey)
446	0	{
447	0	int ret = -1, i;
448	0	BN_CTX *ctx;
449	0	const BIGNUM *order;
450	0	BIGNUM u1, u2, m, X;
451	0	EC_POINT *point = NULL;
452	0	const EC_GROUP *group;
453	0	const EC_POINT *pub_key;
454
455		/* check input values */
456	0	if (eckey == NULL \|\| (group = EC_KEY_get0_group(eckey)) == NULL \|\|
457	0	(pub_key = EC_KEY_get0_public_key(eckey)) == NULL \|\| sig == NULL) {
458	0	ERR_raise(ERR_LIB_EC, EC_R_MISSING_PARAMETERS);
459	0	return -1;
460	0	}
461
462	0	if (!EC_KEY_can_sign(eckey)) {
463	0	ERR_raise(ERR_LIB_EC, EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING);
464	0	return -1;
465	0	}
466
467	0	ctx = BN_CTX_new_ex(eckey->libctx);
468	0	if (ctx == NULL) {
469	0	ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
470	0	return -1;
471	0	}
472	0	BN_CTX_start(ctx);
473	0	u1 = BN_CTX_get(ctx);
474	0	u2 = BN_CTX_get(ctx);
475	0	m = BN_CTX_get(ctx);
476	0	X = BN_CTX_get(ctx);
477	0	if (X == NULL) {
478	0	ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
479	0	goto err;
480	0	}
481
482	0	order = EC_GROUP_get0_order(group);
483	0	if (order == NULL) {
484	0	ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB);
485	0	goto err;
486	0	}
487
488	0	if (BN_is_zero(sig->r) \|\| BN_is_negative(sig->r) \|\|
489	0	BN_ucmp(sig->r, order) >= 0 \|\| BN_is_zero(sig->s) \|\|
490	0	BN_is_negative(sig->s) \|\| BN_ucmp(sig->s, order) >= 0) {
491	0	ERR_raise(ERR_LIB_EC, EC_R_BAD_SIGNATURE);
492	0	ret = 0; /* signature is invalid */
493	0	goto err;
494	0	}
495		/* calculate tmp1 = inv(S) mod order */
496	0	if (!ossl_ec_group_do_inverse_ord(group, u2, sig->s, ctx)) {
497	0	ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
498	0	goto err;
499	0	}
500		/* digest -> m */
501	0	i = BN_num_bits(order);
502		/*
503		* Need to truncate digest if it is too long: first truncate whole bytes.
504		*/
505	0	if (8 * dgst_len > i)
506	0	dgst_len = (i + 7) / 8;
507	0	if (!BN_bin2bn(dgst, dgst_len, m)) {
508	0	ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
509	0	goto err;
510	0	}
511		/* If still too long truncate remaining bits with a shift */
512	0	if ((8 * dgst_len > i) && !BN_rshift(m, m, 8 - (i & 0x7))) {
513	0	ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
514	0	goto err;
515	0	}
516		/* u1 = m * tmp mod order */
517	0	if (!BN_mod_mul(u1, m, u2, order, ctx)) {
518	0	ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
519	0	goto err;
520	0	}
521		/* u2 = r * w mod q */
522	0	if (!BN_mod_mul(u2, sig->r, u2, order, ctx)) {
523	0	ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
524	0	goto err;
525	0	}
526
527	0	if ((point = EC_POINT_new(group)) == NULL) {
528	0	ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB);
529	0	goto err;
530	0	}
531	0	if (!EC_POINT_mul(group, point, u1, pub_key, u2, ctx)) {
532	0	ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB);
533	0	goto err;
534	0	}
535
536	0	if (!EC_POINT_get_affine_coordinates(group, point, X, NULL, ctx)) {
537	0	ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB);
538	0	goto err;
539	0	}
540
541	0	if (!BN_nnmod(u1, X, order, ctx)) {
542	0	ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
543	0	goto err;
544	0	}
545		/* if the signature is correct u1 is equal to sig->r */
546	0	ret = (BN_ucmp(u1, sig->r) == 0);
547	0	err:
548	0	BN_CTX_end(ctx);
549	0	BN_CTX_free(ctx);
550	0	EC_POINT_free(point);
551	0	return ret;
552	0	}