1 /* crypto/ecdsa/ecs_ossl.c */
2 /* ====================================================================
3 * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in
14 * the documentation and/or other materials provided with the
17 * 3. All advertising materials mentioning features or use of this
18 * software must display the following acknowledgment:
19 * "This product includes software developed by the OpenSSL Project
20 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
22 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
23 * endorse or promote products derived from this software without
24 * prior written permission. For written permission, please contact
25 * openssl-core@OpenSSL.org.
27 * 5. Products derived from this software may not be called "OpenSSL"
28 * nor may "OpenSSL" appear in their names without prior written
29 * permission of the OpenSSL Project.
31 * 6. Redistributions of any form whatsoever must retain the following
33 * "This product includes software developed by the OpenSSL Project
34 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
36 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
37 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
38 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
39 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
40 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
41 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
42 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
43 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
44 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
45 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
46 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
47 * OF THE POSSIBILITY OF SUCH DAMAGE.
48 * ====================================================================
50 * This product includes cryptographic software written by Eric Young
51 * (eay@cryptsoft.com). This product includes software written by Tim
52 * Hudson (tjh@cryptsoft.com).
57 #include <openssl/err.h>
58 #include <openssl/obj_mac.h>
60 static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dlen,
62 static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp,
64 static int ecdsa_do_verify(const unsigned char *dgst, int dgst_len,
65 ECDSA_SIG *sig, EC_KEY *eckey);
67 static ECDSA_METHOD openssl_ecdsa_meth = {
68 "OpenSSL ECDSA method",
80 const ECDSA_METHOD *ECDSA_OpenSSL(void)
82 return &openssl_ecdsa_meth;
85 static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp,
89 BIGNUM k,*kinv=NULL,*r=NULL,*order=NULL,*X=NULL;
90 EC_POINT *tmp_point=NULL;
92 if (!eckey || !eckey->group || !eckey->pub_key || !eckey->priv_key)
94 ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_PASSED_NULL_PARAMETER);
102 if ((ctx=BN_CTX_new()) == NULL)
104 ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_MALLOC_FAILURE);
111 if ((r = BN_new()) == NULL)
113 ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB);
116 if ((order = BN_new()) == NULL)
118 ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB);
121 if ((X = BN_new()) == NULL)
123 ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB);
126 if ((tmp_point = EC_POINT_new(eckey->group)) == NULL)
128 ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB);
131 if (!EC_GROUP_get_order(eckey->group,order,ctx))
133 ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB);
141 if (!BN_rand_range(&k,order))
143 ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP,
144 ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED);
147 while (BN_is_zero(&k));
149 /* compute r the x-coordinate of generator * k */
150 if (!EC_POINT_mul(eckey->group, tmp_point, &k, NULL, NULL, ctx))
152 ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB);
155 if (EC_METHOD_get_field_type(EC_GROUP_method_of(eckey->group))
156 == NID_X9_62_prime_field)
158 if (!EC_POINT_get_affine_coordinates_GFp(eckey->group,
159 tmp_point, X, NULL, ctx))
161 ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP,
166 else /* NID_X9_62_characteristic_two_field */
168 if (!EC_POINT_get_affine_coordinates_GF2m(eckey->group,
169 tmp_point, X, NULL, ctx))
171 ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP,
176 if (!BN_nnmod(r,X,order,ctx))
178 ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB);
182 while (BN_is_zero(r));
184 /* compute the inverse of k */
185 if ((kinv = BN_mod_inverse(NULL,&k,order,ctx)) == NULL)
187 ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB);
195 BN_clear_free(*kinvp);
202 if (kinv != NULL) BN_clear_free(kinv);
203 if (r != NULL) BN_clear_free(r);
210 BN_clear_free(order);
211 if (tmp_point != NULL)
212 EC_POINT_free(tmp_point);
213 if (X) BN_clear_free(X);
219 static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dgst_len,
222 BIGNUM *kinv=NULL,*r=NULL,*s=NULL,*m=NULL,*tmp=NULL,*order=NULL;
230 ecdsa = ecdsa_check(eckey);
232 if (!eckey || !eckey->group || !eckey->pub_key || !eckey->priv_key
235 ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_PASSED_NULL_PARAMETER);
239 if ((ctx = BN_CTX_new()) == NULL || (order = BN_new()) == NULL ||
240 (tmp = BN_new()) == NULL || (m = BN_new()) == NULL ||
241 (s = BN_new()) == NULL )
243 ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_MALLOC_FAILURE);
247 if (!EC_GROUP_get_order(eckey->group,order,ctx))
249 ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_EC_LIB);
252 if (dgst_len > BN_num_bytes(order))
254 ECDSAerr(ECDSA_F_ECDSA_DO_SIGN,
255 ECDSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
259 if (BN_bin2bn(dgst,dgst_len,m) == NULL)
261 ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
266 if (ecdsa->kinv == NULL || ecdsa->r == NULL)
268 if (!ECDSA_sign_setup(eckey,ctx,&kinv,&r))
270 ECDSAerr(ECDSA_F_ECDSA_DO_SIGN,
283 if (!BN_mod_mul(tmp,eckey->priv_key,r,order,ctx))
285 ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
288 if (!BN_add(s,tmp,m))
290 ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
293 if (BN_cmp(s,order) > 0)
295 if (!BN_mod_mul(s,s,kinv,order,ctx))
297 ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
301 while (BN_is_zero(s));
303 if ((ret = ECDSA_SIG_new()) == NULL)
305 ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_MALLOC_FAILURE);
308 if (BN_copy(ret->r, r) == NULL || BN_copy(ret->s, s) == NULL)
312 ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
327 BN_clear_free(order);
333 static int ecdsa_do_verify(const unsigned char *dgst, int dgst_len,
334 ECDSA_SIG *sig, EC_KEY *eckey)
337 BIGNUM *order=NULL,*u1=NULL,*u2=NULL,*m=NULL,*X=NULL;
338 EC_POINT *point=NULL;
340 if (!eckey || !eckey->group || !eckey->pub_key || !sig)
342 ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ECDSA_R_MISSING_PARAMETERS);
346 if ((ctx = BN_CTX_new()) == NULL || (order = BN_new()) == NULL ||
347 (u1 = BN_new()) == NULL || (u2 = BN_new()) == NULL ||
348 (m = BN_new()) == NULL || (X = BN_new()) == NULL)
350 ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_MALLOC_FAILURE);
353 if (!EC_GROUP_get_order(eckey->group, order, ctx))
355 ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);
359 if (BN_is_zero(sig->r) || BN_get_sign(sig->r) ||
360 BN_ucmp(sig->r, order) >= 0)
362 ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ECDSA_R_BAD_SIGNATURE);
366 if (BN_is_zero(sig->s) || BN_get_sign(sig->s) ||
367 BN_ucmp(sig->s, order) >= 0)
369 ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ECDSA_R_BAD_SIGNATURE);
374 /* calculate tmp1 = inv(S) mod order */
375 if ((BN_mod_inverse(u2,sig->s,order,ctx)) == NULL)
377 ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);
381 if (BN_bin2bn(dgst,dgst_len,m) == NULL)
383 ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);
386 /* u1 = m * tmp mod order */
387 if (!BN_mod_mul(u1,m,u2,order,ctx))
389 ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);
392 /* u2 = r * w mod q */
393 if (!BN_mod_mul(u2,sig->r,u2,order,ctx))
395 ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);
399 if ((point = EC_POINT_new(eckey->group)) == NULL)
401 ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_MALLOC_FAILURE);
404 if (!EC_POINT_mul(eckey->group, point, u1, eckey->pub_key, u2, ctx))
406 ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_EC_LIB);
409 if (EC_METHOD_get_field_type(EC_GROUP_method_of(eckey->group))
410 == NID_X9_62_prime_field)
412 if (!EC_POINT_get_affine_coordinates_GFp(eckey->group,
413 point, X, NULL, ctx))
415 ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB);
419 else /* NID_X9_62_characteristic_two_field */
421 if (!EC_POINT_get_affine_coordinates_GF2m(eckey->group,
422 point, X, NULL, ctx))
424 ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB);
429 if (!BN_nnmod(u1,X,order,ctx))
431 ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);
435 /* is now in u1. If the signature is correct, it will be
437 ret = (BN_ucmp(u1,sig->r) == 0);
451 BN_clear_free(order);
453 EC_POINT_free(point);