00001
00002
00003
00004
00005
00006
00007
00008
00009
00010
00011
00012
00013
00014
00015
00016
00017
00018
00019
00020
00021
00022
00023
00024
00025
00026
00027
00028
00029
00030
00031
00032 #include "polarssl/config.h"
00033
00034 #if defined(POLARSSL_ECDSA_C)
00035
00036 #include "polarssl/ecdsa.h"
00037 #include "polarssl/asn1write.h"
00038
00039
00040
00041
00042
00043 static int derive_mpi( const ecp_group *grp, mpi *x,
00044 const unsigned char *buf, size_t blen )
00045 {
00046 size_t n_size = (grp->nbits + 7) / 8;
00047 return( mpi_read_binary( x, buf, blen > n_size ? n_size : blen ) );
00048 }
00049
00050
00051
00052
00053
00054 int ecdsa_sign( ecp_group *grp, mpi *r, mpi *s,
00055 const mpi *d, const unsigned char *buf, size_t blen,
00056 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
00057 {
00058 int ret, key_tries, sign_tries;
00059 ecp_point R;
00060 mpi k, e;
00061
00062 ecp_point_init( &R );
00063 mpi_init( &k );
00064 mpi_init( &e );
00065
00066 sign_tries = 0;
00067 do
00068 {
00069
00070
00071
00072
00073 key_tries = 0;
00074 do
00075 {
00076 MPI_CHK( ecp_gen_keypair( grp, &k, &R, f_rng, p_rng ) );
00077 MPI_CHK( mpi_mod_mpi( r, &R.X, &grp->N ) );
00078
00079 if( key_tries++ > 10 )
00080 {
00081 ret = POLARSSL_ERR_ECP_RANDOM_FAILED;
00082 goto cleanup;
00083 }
00084 }
00085 while( mpi_cmp_int( r, 0 ) == 0 );
00086
00087
00088
00089
00090 MPI_CHK( derive_mpi( grp, &e, buf, blen ) );
00091
00092
00093
00094
00095 MPI_CHK( mpi_mul_mpi( s, r, d ) );
00096 MPI_CHK( mpi_add_mpi( &e, &e, s ) );
00097 MPI_CHK( mpi_inv_mod( s, &k, &grp->N ) );
00098 MPI_CHK( mpi_mul_mpi( s, s, &e ) );
00099 MPI_CHK( mpi_mod_mpi( s, s, &grp->N ) );
00100
00101 if( sign_tries++ > 10 )
00102 {
00103 ret = POLARSSL_ERR_ECP_RANDOM_FAILED;
00104 goto cleanup;
00105 }
00106 }
00107 while( mpi_cmp_int( s, 0 ) == 0 );
00108
00109 cleanup:
00110 ecp_point_free( &R );
00111 mpi_free( &k );
00112 mpi_free( &e );
00113
00114 return( ret );
00115 }
00116
00117
00118
00119
00120
00121 int ecdsa_verify( ecp_group *grp,
00122 const unsigned char *buf, size_t blen,
00123 const ecp_point *Q, const mpi *r, const mpi *s)
00124 {
00125 int ret;
00126 mpi e, s_inv, u1, u2;
00127 ecp_point R, P;
00128
00129 ecp_point_init( &R ); ecp_point_init( &P );
00130 mpi_init( &e ); mpi_init( &s_inv ); mpi_init( &u1 ); mpi_init( &u2 );
00131
00132
00133
00134
00135 if( mpi_cmp_int( r, 1 ) < 0 || mpi_cmp_mpi( r, &grp->N ) >= 0 ||
00136 mpi_cmp_int( s, 1 ) < 0 || mpi_cmp_mpi( s, &grp->N ) >= 0 )
00137 {
00138 ret = POLARSSL_ERR_ECP_VERIFY_FAILED;
00139 goto cleanup;
00140 }
00141
00142
00143
00144
00145 MPI_CHK( ecp_check_pubkey( grp, Q ) );
00146
00147
00148
00149
00150 MPI_CHK( derive_mpi( grp, &e, buf, blen ) );
00151
00152
00153
00154
00155 MPI_CHK( mpi_inv_mod( &s_inv, s, &grp->N ) );
00156
00157 MPI_CHK( mpi_mul_mpi( &u1, &e, &s_inv ) );
00158 MPI_CHK( mpi_mod_mpi( &u1, &u1, &grp->N ) );
00159
00160 MPI_CHK( mpi_mul_mpi( &u2, r, &s_inv ) );
00161 MPI_CHK( mpi_mod_mpi( &u2, &u2, &grp->N ) );
00162
00163
00164
00165
00166
00167
00168
00169 MPI_CHK( ecp_mul( grp, &R, &u1, &grp->G, NULL, NULL ) );
00170 MPI_CHK( ecp_mul( grp, &P, &u2, Q, NULL, NULL ) );
00171 MPI_CHK( ecp_add( grp, &R, &R, &P ) );
00172
00173 if( ecp_is_zero( &R ) )
00174 {
00175 ret = POLARSSL_ERR_ECP_VERIFY_FAILED;
00176 goto cleanup;
00177 }
00178
00179
00180
00181
00182
00183 MPI_CHK( mpi_mod_mpi( &R.X, &R.X, &grp->N ) );
00184
00185
00186
00187
00188 if( mpi_cmp_mpi( &R.X, r ) != 0 )
00189 {
00190 ret = POLARSSL_ERR_ECP_VERIFY_FAILED;
00191 goto cleanup;
00192 }
00193
00194 cleanup:
00195 ecp_point_free( &R ); ecp_point_free( &P );
00196 mpi_free( &e ); mpi_free( &s_inv ); mpi_free( &u1 ); mpi_free( &u2 );
00197
00198 return( ret );
00199 }
00200
00201
00202
00203
00204
00205
00206
00207
00208
00209
00210
00211
00212
00213
00214
00215 #if POLARSSL_ECP_MAX_BYTES > 124
00216 #error "POLARSSL_ECP_MAX_BYTES bigger than expected, please fix MAX_SIG_LEN"
00217 #endif
00218 #define MAX_SIG_LEN ( 3 + 2 * ( 2 + POLARSSL_ECP_MAX_BYTES ) )
00219
00220
00221
00222
00223 int ecdsa_write_signature( ecdsa_context *ctx,
00224 const unsigned char *hash, size_t hlen,
00225 unsigned char *sig, size_t *slen,
00226 int (*f_rng)(void *, unsigned char *, size_t),
00227 void *p_rng )
00228 {
00229 int ret;
00230 unsigned char buf[MAX_SIG_LEN];
00231 unsigned char *p = buf + sizeof( buf );
00232 size_t len = 0;
00233
00234 if( ( ret = ecdsa_sign( &ctx->grp, &ctx->r, &ctx->s, &ctx->d,
00235 hash, hlen, f_rng, p_rng ) ) != 0 )
00236 {
00237 return( ret );
00238 }
00239
00240 ASN1_CHK_ADD( len, asn1_write_mpi( &p, buf, &ctx->s ) );
00241 ASN1_CHK_ADD( len, asn1_write_mpi( &p, buf, &ctx->r ) );
00242
00243 ASN1_CHK_ADD( len, asn1_write_len( &p, buf, len ) );
00244 ASN1_CHK_ADD( len, asn1_write_tag( &p, buf,
00245 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) );
00246
00247 memcpy( sig, p, len );
00248 *slen = len;
00249
00250 return( 0 );
00251 }
00252
00253
00254
00255
00256 int ecdsa_read_signature( ecdsa_context *ctx,
00257 const unsigned char *hash, size_t hlen,
00258 const unsigned char *sig, size_t slen )
00259 {
00260 int ret;
00261 unsigned char *p = (unsigned char *) sig;
00262 const unsigned char *end = sig + slen;
00263 size_t len;
00264
00265 if( ( ret = asn1_get_tag( &p, end, &len,
00266 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
00267 {
00268 return( POLARSSL_ERR_ECP_BAD_INPUT_DATA + ret );
00269 }
00270
00271 if( p + len != end )
00272 return( POLARSSL_ERR_ECP_BAD_INPUT_DATA +
00273 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
00274
00275 if( ( ret = asn1_get_mpi( &p, end, &ctx->r ) ) != 0 ||
00276 ( ret = asn1_get_mpi( &p, end, &ctx->s ) ) != 0 )
00277 return( POLARSSL_ERR_ECP_BAD_INPUT_DATA + ret );
00278
00279 if( p != end )
00280 return( POLARSSL_ERR_ECP_BAD_INPUT_DATA +
00281 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
00282
00283 return( ecdsa_verify( &ctx->grp, hash, hlen, &ctx->Q, &ctx->r, &ctx->s ) );
00284 }
00285
00286
00287
00288
00289 int ecdsa_genkey( ecdsa_context *ctx, ecp_group_id gid,
00290 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
00291 {
00292 return( ecp_use_known_dp( &ctx->grp, gid ) ||
00293 ecp_gen_keypair( &ctx->grp, &ctx->d, &ctx->Q, f_rng, p_rng ) );
00294 }
00295
00296
00297
00298
00299 int ecdsa_from_keypair( ecdsa_context *ctx, const ecp_keypair *key )
00300 {
00301 int ret;
00302
00303 if( ( ret = ecp_group_copy( &ctx->grp, &key->grp ) ) != 0 ||
00304 ( ret = mpi_copy( &ctx->d, &key->d ) ) != 0 ||
00305 ( ret = ecp_copy( &ctx->Q, &key->Q ) ) != 0 )
00306 {
00307 ecdsa_free( ctx );
00308 }
00309
00310 return( ret );
00311 }
00312
00313
00314
00315
00316 void ecdsa_init( ecdsa_context *ctx )
00317 {
00318 ecp_group_init( &ctx->grp );
00319 mpi_init( &ctx->d );
00320 ecp_point_init( &ctx->Q );
00321 mpi_init( &ctx->r );
00322 mpi_init( &ctx->s );
00323 }
00324
00325
00326
00327
00328 void ecdsa_free( ecdsa_context *ctx )
00329 {
00330 ecp_group_free( &ctx->grp );
00331 mpi_free( &ctx->d );
00332 ecp_point_free( &ctx->Q );
00333 mpi_free( &ctx->r );
00334 mpi_free( &ctx->s );
00335 }
00336
00337 #if defined(POLARSSL_SELF_TEST)
00338
00339
00340
00341
00342 int ecdsa_self_test( int verbose )
00343 {
00344 return( verbose++ );
00345 }
00346
00347 #endif
00348
00349 #endif