X-Git-Url: https://git.librecmc.org/?a=blobdiff_plain;f=crypto%2Fecdsa%2Fecs_ossl.c;h=8336bceb673b6fcd96552a8fa7ed2a9e2e50d83a;hb=244ed51a0dad5f52233b46be716defcfe7bc77ff;hp=5a36707cfbd38b885859a87acd5a883b8b556bdf;hpb=4d94ae00d5614d64d4dd065860c4b00161a81f82;p=oweals%2Fopenssl.git diff --git a/crypto/ecdsa/ecs_ossl.c b/crypto/ecdsa/ecs_ossl.c index 5a36707cfb..8336bceb67 100644 --- a/crypto/ecdsa/ecs_ossl.c +++ b/crypto/ecdsa/ecs_ossl.c @@ -1,6 +1,9 @@ /* crypto/ecdsa/ecs_ossl.c */ +/* + * Written by Nils Larsch for the OpenSSL project + */ /* ==================================================================== - * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2004 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -52,80 +55,32 @@ * Hudson (tjh@cryptsoft.com). * */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ -#include "cryptlib.h" -#include -/* TODO : general case */ -#define EC_POINT_get_affine_coordinates EC_POINT_get_affine_coordinates_GFp +#define OPENSSL_FIPSAPI -static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dlen, ECDSA *ecdsa); -static int ecdsa_sign_setup(ECDSA *ecdsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp); -static int ecdsa_do_verify(const unsigned char *dgst, int dgst_len, ECDSA_SIG *sig, - ECDSA *ecdsa); +#include "ecs_locl.h" +#include +#include +#include + +static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dlen, + const BIGNUM *, const BIGNUM *, EC_KEY *eckey); +static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, + BIGNUM **rp); +static int ecdsa_do_verify(const unsigned char *dgst, int dgst_len, + const ECDSA_SIG *sig, EC_KEY *eckey); static ECDSA_METHOD openssl_ecdsa_meth = { -"OpenSSL ECDSA method", -ecdsa_do_sign, -ecdsa_sign_setup, -ecdsa_do_verify, -0, -NULL + "OpenSSL ECDSA method", + ecdsa_do_sign, + ecdsa_sign_setup, + ecdsa_do_verify, +#if 0 + NULL, /* init */ + NULL, /* finish */ +#endif + ECDSA_FLAG_FIPS_METHOD, /* flags */ + NULL /* app_data */ }; const ECDSA_METHOD *ECDSA_OpenSSL(void) @@ -133,249 +88,454 @@ const ECDSA_METHOD *ECDSA_OpenSSL(void) return &openssl_ecdsa_meth; } -static int ecdsa_sign_setup(ECDSA *ecdsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) +static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, + BIGNUM **rp) { BN_CTX *ctx = NULL; - BIGNUM k,*kinv=NULL,*r=NULL,*order=NULL,*X=NULL; + BIGNUM *k = NULL, *r = NULL, *order = NULL, *X = NULL; EC_POINT *tmp_point=NULL; - int ret = 0,reason = ERR_R_BN_LIB; - if (!ecdsa || !ecdsa->group || !ecdsa->pub_key || !ecdsa->priv_key) + const EC_GROUP *group; + int ret = 0; + + if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL) { - reason = ECDSA_R_MISSING_PARAMETERS; + ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_PASSED_NULL_PARAMETER); return 0; } + if (ctx_in == NULL) { - if ((ctx=BN_CTX_new()) == NULL) goto err; + if ((ctx = BN_CTX_new()) == NULL) + { + ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP,ERR_R_MALLOC_FAILURE); + return 0; + } } else - ctx=ctx_in; + ctx = ctx_in; - if ((r = BN_new()) == NULL) goto err; - if ((order = BN_new()) == NULL) goto err; - if ((X = BN_new()) == NULL) goto err; - if ((tmp_point = EC_POINT_new(ecdsa->group)) == NULL) + k = BN_new(); /* this value is later returned in *kinvp */ + r = BN_new(); /* this value is later returned in *rp */ + order = BN_new(); + X = BN_new(); + if (!k || !r || !order || !X) { - reason = ERR_R_EC_LIB; + ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_MALLOC_FAILURE); goto err; } - if (!EC_POINT_copy(tmp_point,EC_GROUP_get0_generator(ecdsa->group))) + if ((tmp_point = EC_POINT_new(group)) == NULL) { - reason = ERR_R_EC_LIB; + ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB); goto err; } - if (!EC_GROUP_get_order(ecdsa->group,order,ctx)) + if (!EC_GROUP_get_order(group, order, ctx)) { - reason = ERR_R_EC_LIB; + ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB); goto err; } + +#ifdef OPENSSL_FIPS + if (!fips_check_ec_prng(eckey)) + goto err; +#endif do { /* get random k */ - BN_init(&k); do - if (!BN_rand_range(&k,order)) + if (!BN_rand_range(k, order)) { - reason = ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED; + ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, + ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED); goto err; } - while (BN_is_zero(&k)); + while (BN_is_zero(k)); + + /* We do not want timing information to leak the length of k, + * so we compute G*k using an equivalent scalar of fixed + * bit-length. */ + + if (!BN_add(k, k, order)) goto err; + if (BN_num_bits(k) <= BN_num_bits(order)) + if (!BN_add(k, k, order)) goto err; /* compute r the x-coordinate of generator * k */ - if (!EC_POINT_mul(ecdsa->group,tmp_point,&k,NULL,NULL,ctx) - || !EC_POINT_get_affine_coordinates(ecdsa->group,tmp_point,X,NULL,ctx)) + if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx)) { - reason = ERR_R_EC_LIB; + ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB); + goto err; + } + if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) == NID_X9_62_prime_field) + { + if (!EC_POINT_get_affine_coordinates_GFp(group, + tmp_point, X, NULL, ctx)) + { + ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP,ERR_R_EC_LIB); + goto err; + } + } +#ifndef OPENSSL_NO_EC2M + else /* NID_X9_62_characteristic_two_field */ + { + if (!EC_POINT_get_affine_coordinates_GF2m(group, + tmp_point, X, NULL, ctx)) + { + ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP,ERR_R_EC_LIB); + goto err; + } + } +#endif + if (!BN_nnmod(r, X, order, ctx)) + { + ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB); goto err; } - if (!BN_nnmod(r,X,order,ctx)) goto err; } while (BN_is_zero(r)); /* compute the inverse of k */ - if ((kinv = BN_mod_inverse(NULL,&k,order,ctx)) == NULL) goto err; - - if (*rp == NULL) + if (!BN_mod_inverse(k, k, order, ctx)) + { + ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB); + goto err; + } + /* clear old values if necessary */ + if (*rp != NULL) BN_clear_free(*rp); - *rp = r; - if (*kinvp == NULL) + if (*kinvp != NULL) BN_clear_free(*kinvp); - *kinvp = kinv; - kinv = NULL; + /* save the pre-computed values */ + *rp = r; + *kinvp = k; ret = 1; err: if (!ret) { - ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP,reason); - if (kinv != NULL) BN_clear_free(kinv); + if (k != NULL) BN_clear_free(k); if (r != NULL) BN_clear_free(r); } if (ctx_in == NULL) BN_CTX_free(ctx); - if (kinv != NULL) - BN_clear_free(kinv); if (order != NULL) - BN_clear_free(order); + BN_free(order); if (tmp_point != NULL) EC_POINT_free(tmp_point); - if (X) BN_clear_free(X); - BN_clear_free(&k); + if (X) + BN_clear_free(X); return(ret); } -static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dgst_len, ECDSA *ecdsa) +static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dgst_len, + const BIGNUM *in_kinv, const BIGNUM *in_r, EC_KEY *eckey) { - BIGNUM *kinv=NULL,*r=NULL,*s=NULL,*m=NULL,*tmp=NULL,*order=NULL; - BIGNUM xr; - BN_CTX *ctx=NULL; - int reason=ERR_R_BN_LIB; - ECDSA_SIG *ret=NULL; + int ok = 0, i; + BIGNUM *kinv=NULL, *s, *m=NULL,*tmp=NULL,*order=NULL; + const BIGNUM *ckinv; + BN_CTX *ctx = NULL; + const EC_GROUP *group; + ECDSA_SIG *ret; + ECDSA_DATA *ecdsa; + const BIGNUM *priv_key; - if (!ecdsa || !ecdsa->group || !ecdsa->pub_key || !ecdsa->priv_key) +#ifdef OPENSSL_FIPS + if(FIPS_selftest_failed()) + { + FIPSerr(FIPS_F_ECDSA_DO_SIGN,FIPS_R_FIPS_SELFTEST_FAILED); + return NULL; + } +#endif + + ecdsa = ecdsa_check(eckey); + group = EC_KEY_get0_group(eckey); + priv_key = EC_KEY_get0_private_key(eckey); + + if (group == NULL || priv_key == NULL || ecdsa == NULL) { - reason = ECDSA_R_MISSING_PARAMETERS; - goto err; + ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_PASSED_NULL_PARAMETER); + return NULL; } - BN_init(&xr); - if ((ctx = BN_CTX_new()) == NULL) goto err; - if ((order = BN_new()) == NULL) goto err; - if ((tmp = BN_new()) == NULL) goto err; - if ((m = BN_new()) == NULL) goto err; - if ((s = BN_new()) == NULL) goto err; +#ifdef OPENSSL_FIPS + if (!fips_check_ec_prng(eckey)) + return NULL; +#endif - if (!EC_GROUP_get_order(ecdsa->group,order,ctx)) + ret = ECDSA_SIG_new(); + if (!ret) { - reason = ECDSA_R_ERR_EC_LIB; - goto err; + ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_MALLOC_FAILURE); + return NULL; } - if (dgst_len > BN_num_bytes(order)) + s = ret->s; + + if ((ctx = BN_CTX_new()) == NULL || (order = BN_new()) == NULL || + (tmp = BN_new()) == NULL || (m = BN_new()) == NULL) { - reason = ECDSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE; + ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_MALLOC_FAILURE); goto err; } - if (BN_bin2bn(dgst,dgst_len,m) == NULL) goto err; + if (!EC_GROUP_get_order(group, order, ctx)) + { + ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_EC_LIB); + goto err; + } + i = BN_num_bits(order); + /* Need to truncate digest if it is too long: first truncate whole + * bytes. + */ + if (8 * dgst_len > i) + dgst_len = (i + 7)/8; + if (!BN_bin2bn(dgst, dgst_len, m)) + { + ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB); + goto err; + } + /* If still too long truncate remaining bits with a shift */ + if ((8 * dgst_len > i) && !BN_rshift(m, m, 8 - (i & 0x7))) + { + ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB); + goto err; + } do { - if ((ecdsa->kinv == NULL) || (ecdsa->r == NULL)) + if (in_kinv == NULL || in_r == NULL) { - if (!ECDSA_sign_setup(ecdsa,ctx,&kinv,&r)) goto err; + if (!ecdsa->meth->ecdsa_sign_setup(eckey, ctx, + &kinv, &ret->r)) + { + ECDSAerr(ECDSA_F_ECDSA_DO_SIGN,ERR_R_ECDSA_LIB); + goto err; + } + ckinv = kinv; } else { - kinv = ecdsa->kinv; - ecdsa->kinv = NULL; - r = ecdsa->r; - ecdsa->r = NULL; + ckinv = in_kinv; + if (BN_copy(ret->r, in_r) == NULL) + { + ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_MALLOC_FAILURE); + goto err; + } } - if (!BN_mod_mul(tmp,ecdsa->priv_key,r,order,ctx)) goto err; - if (!BN_add(s,tmp,m)) goto err; - if (BN_cmp(s,order) > 0) - BN_sub(s,s,order); - if (!BN_mod_mul(s,s,kinv,order,ctx)) goto err; + if (!BN_mod_mul(tmp, priv_key, ret->r, order, ctx)) + { + ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB); + goto err; + } + if (!BN_mod_add_quick(s, tmp, m, order)) + { + ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB); + goto err; + } + if (!BN_mod_mul(s, s, ckinv, order, ctx)) + { + ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB); + goto err; + } + if (BN_is_zero(s)) + { + /* if kinv and r have been supplied by the caller + * don't to generate new kinv and r values */ + if (in_kinv != NULL && in_r != NULL) + { + ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ECDSA_R_NEED_NEW_SETUP_VALUES); + goto err; + } + } + else + /* s != 0 => we have a valid signature */ + break; } - while (BN_is_zero(s)); + while (1); - if ((ret = ECDSA_SIG_new()) == NULL) + ok = 1; +err: + if (!ok) { - reason = ECDSA_R_SIGNATURE_MALLOC_FAILED; - goto err; + ECDSA_SIG_free(ret); + ret = NULL; } - ret->r = r; - ret->s = s; - -err: - if (!ret) - { - ECDSAerr(ECDSA_F_ECDSA_DO_SIGN,reason); - BN_free(r); - BN_free(s); - } - if (ctx != NULL) BN_CTX_free(ctx); - if (m != NULL) BN_clear_free(m); - if (tmp != NULL) BN_clear_free(tmp); - if (order != NULL) BN_clear_free(order); - if (kinv != NULL) BN_clear_free(kinv); - return(ret); + if (ctx) + BN_CTX_free(ctx); + if (m) + BN_clear_free(m); + if (tmp) + BN_clear_free(tmp); + if (order) + BN_free(order); + if (kinv) + BN_clear_free(kinv); + return ret; } -static int ecdsa_do_verify(const unsigned char *dgst, int dgst_len, ECDSA_SIG *sig, - ECDSA *ecdsa) +static int ecdsa_do_verify(const unsigned char *dgst, int dgst_len, + const ECDSA_SIG *sig, EC_KEY *eckey) { - BN_CTX *ctx; - BIGNUM *order=NULL,*u1=NULL,*u2=NULL,*m=NULL,*X=NULL; - EC_POINT *point=NULL; - int ret = -1,reason = ERR_R_BN_LIB; - if (!ecdsa || !ecdsa->group || !ecdsa->pub_key || !sig) + int ret = -1, i; + BN_CTX *ctx; + BIGNUM *order, *u1, *u2, *m, *X; + EC_POINT *point = NULL; + const EC_GROUP *group; + const EC_POINT *pub_key; + +#ifdef OPENSSL_FIPS + if(FIPS_selftest_failed()) + { + FIPSerr(FIPS_F_ECDSA_DO_VERIFY,FIPS_R_FIPS_SELFTEST_FAILED); + return -1; + } +#endif + + /* check input values */ + if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL || + (pub_key = EC_KEY_get0_public_key(eckey)) == NULL || sig == NULL) { - reason = ECDSA_R_MISSING_PARAMETERS; + ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ECDSA_R_MISSING_PARAMETERS); return -1; } - if ((ctx = BN_CTX_new()) == NULL) goto err; - if ((order = BN_new()) == NULL) goto err; - if ((u1 = BN_new()) == NULL) goto err; - if ((u2 = BN_new()) == NULL) goto err; - if ((m = BN_new()) == NULL) goto err; - if ((X = BN_new()) == NULL) goto err; - if (!EC_GROUP_get_order(ecdsa->group,order,ctx)) goto err; - - if (BN_is_zero(sig->r) || sig->r->neg || BN_ucmp(sig->r, order) >= 0) + ctx = BN_CTX_new(); + if (!ctx) { - reason = ECDSA_R_BAD_SIGNATURE; - ret = 0; + ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_MALLOC_FAILURE); + return -1; + } + BN_CTX_start(ctx); + order = BN_CTX_get(ctx); + u1 = BN_CTX_get(ctx); + u2 = BN_CTX_get(ctx); + m = BN_CTX_get(ctx); + X = BN_CTX_get(ctx); + if (!X) + { + ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB); goto err; } - if (BN_is_zero(sig->s) || sig->s->neg || BN_ucmp(sig->s, order) >= 0) + + if (!EC_GROUP_get_order(group, order, ctx)) { - reason = ECDSA_R_BAD_SIGNATURE; - ret = 0; + ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_EC_LIB); goto err; } + if (BN_is_zero(sig->r) || BN_is_negative(sig->r) || + BN_ucmp(sig->r, order) >= 0 || BN_is_zero(sig->s) || + BN_is_negative(sig->s) || BN_ucmp(sig->s, order) >= 0) + { + ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ECDSA_R_BAD_SIGNATURE); + ret = 0; /* signature is invalid */ + goto err; + } /* calculate tmp1 = inv(S) mod order */ - if ((BN_mod_inverse(u2,sig->s,order,ctx)) == NULL) goto err; + if (!BN_mod_inverse(u2, sig->s, order, ctx)) + { + ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB); + goto err; + } /* digest -> m */ - if (BN_bin2bn(dgst,dgst_len,m) == NULL) goto err; + i = BN_num_bits(order); + /* Need to truncate digest if it is too long: first truncate whole + * bytes. + */ + if (8 * dgst_len > i) + dgst_len = (i + 7)/8; + if (!BN_bin2bn(dgst, dgst_len, m)) + { + ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB); + goto err; + } + /* If still too long truncate remaining bits with a shift */ + if ((8 * dgst_len > i) && !BN_rshift(m, m, 8 - (i & 0x7))) + { + ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB); + goto err; + } /* u1 = m * tmp mod order */ - if (!BN_mod_mul(u1,m,u2,order,ctx)) goto err; + if (!BN_mod_mul(u1, m, u2, order, ctx)) + { + ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB); + goto err; + } /* u2 = r * w mod q */ - if (!BN_mod_mul(u2,sig->r,u2,order,ctx)) goto err; + if (!BN_mod_mul(u2, sig->r, u2, order, ctx)) + { + ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB); + goto err; + } - if ((point = EC_POINT_new(ecdsa->group)) == NULL) + if ((point = EC_POINT_new(group)) == NULL) { - reason = ERR_R_EC_LIB; + ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_MALLOC_FAILURE); goto err; } - if (!EC_POINT_copy(point,EC_GROUP_get0_generator(ecdsa->group))) + if (!EC_POINT_mul(group, point, u1, pub_key, u2, ctx)) { - reason = ERR_R_EC_LIB; + ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_EC_LIB); goto err; } - if (!EC_POINT_mul(ecdsa->group,point,u1,ecdsa->pub_key,u2,ctx) - || !EC_POINT_get_affine_coordinates(ecdsa->group,point,X,NULL,ctx)) + if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) == NID_X9_62_prime_field) + { + if (!EC_POINT_get_affine_coordinates_GFp(group, + point, X, NULL, ctx)) + { + ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_EC_LIB); + goto err; + } + } +#ifndef OPENSSL_NO_EC2M + else /* NID_X9_62_characteristic_two_field */ + { + if (!EC_POINT_get_affine_coordinates_GF2m(group, + point, X, NULL, ctx)) + { + ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_EC_LIB); + goto err; + } + } +#endif + if (!BN_nnmod(u1, X, order, ctx)) { - reason = ERR_R_EC_LIB; + ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB); goto err; } - if (!BN_nnmod(u1,X,order,ctx)) goto err; - - /* is now in u1. If the signature is correct, it will be - * equal to R. */ - ret = (BN_ucmp(u1,sig->r) == 0); - - err: - if (ret != 1) ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY,reason); - if (ctx != NULL) BN_CTX_free(ctx); - if (u1 != NULL) BN_clear_free(u1); - if (u2 != NULL) BN_clear_free(u2); - if (m != NULL) BN_clear_free(m); - if (X != NULL) BN_clear_free(X); - if (order != NULL) BN_clear_free(order); - if (point != NULL) EC_POINT_free(point); - return(ret); + /* if the signature is correct u1 is equal to sig->r */ + ret = (BN_ucmp(u1, sig->r) == 0); +err: + BN_CTX_end(ctx); + BN_CTX_free(ctx); + if (point) + EC_POINT_free(point); + return ret; } + +#ifdef OPENSSL_FIPSCANISTER +/* FIPS stanadlone version of ecdsa_check: just return FIPS method */ +ECDSA_DATA *fips_ecdsa_check(EC_KEY *key) + { + static ECDSA_DATA rv = { + 0,0,0, + &openssl_ecdsa_meth + }; + return &rv; + } +/* Standalone digest sign and verify */ +int FIPS_ecdsa_verify_digest(EC_KEY *key, + const unsigned char *dig, int dlen, ECDSA_SIG *s) + { + ECDSA_DATA *ecdsa = ecdsa_check(key); + if (ecdsa == NULL) + return 0; + return ecdsa->meth->ecdsa_do_verify(dig, dlen, s, key); + } +ECDSA_SIG * FIPS_ecdsa_sign_digest(EC_KEY *key, + const unsigned char *dig, int dlen) + { + ECDSA_DATA *ecdsa = ecdsa_check(key); + if (ecdsa == NULL) + return NULL; + return ecdsa->meth->ecdsa_do_sign(dig, dlen, NULL, NULL, key); + } +#endif