diff --git a/src/headers/tomcrypt_pk.h b/src/headers/tomcrypt_pk.h index ed108cc..aa00be1 100644 --- a/src/headers/tomcrypt_pk.h +++ b/src/headers/tomcrypt_pk.h @@ -17,6 +17,9 @@ enum { /* Indicates standard output formats that can be read e.g. by OpenSSL or GnuTLS */ #define PK_STD 0x1000 +/* iterations limit for retry-loops */ +#define PK_MAX_RETRIES 20 + int rand_prime(void *N, long len, prng_state *prng, int wprng); int rand_bn_bits(void *N, int bits, prng_state *prng, int wprng); int rand_bn_range(void *N, void *limit, prng_state *prng, int wprng); @@ -314,17 +317,17 @@ int ecc_decrypt_key(const unsigned char *in, unsigned long inlen, unsigned char *out, unsigned long *outlen, ecc_key *key); -int ecc_sign_hash_raw(const unsigned char *in, unsigned long inlen, - void *r, void *s, - prng_state *prng, int wprng, ecc_key *key); +int ecc_sign_hash_rfc7518(const unsigned char *in, unsigned long inlen, + unsigned char *out, unsigned long *outlen, + prng_state *prng, int wprng, ecc_key *key); int ecc_sign_hash(const unsigned char *in, unsigned long inlen, unsigned char *out, unsigned long *outlen, prng_state *prng, int wprng, ecc_key *key); -int ecc_verify_hash_raw( void *r, void *s, - const unsigned char *hash, unsigned long hashlen, - int *stat, ecc_key *key); +int ecc_verify_hash_rfc7518(const unsigned char *sig, unsigned long siglen, + const unsigned char *hash, unsigned long hashlen, + int *stat, ecc_key *key); int ecc_verify_hash(const unsigned char *sig, unsigned long siglen, const unsigned char *hash, unsigned long hashlen, diff --git a/src/pk/ecc/ecc_sign_hash.c b/src/pk/ecc/ecc_sign_hash.c index 9896783..e97dcf4 100644 --- a/src/pk/ecc/ecc_sign_hash.c +++ b/src/pk/ecc/ecc_sign_hash.c @@ -7,43 +7,29 @@ * guarantee it works. */ -/* Implements ECC over Z/pZ for curve y^2 = x^3 - 3x + b - * - * All curves taken from NIST recommendation paper of July 1999 - * Available at http://csrc.nist.gov/cryptval/dss.htm - */ #include "tomcrypt.h" +#ifdef LTC_MECC + /** @file ecc_sign_hash.c ECC Crypto, Tom St Denis */ -#ifdef LTC_MECC - -/** - Sign a hash with ECC - @param in The hash to sign - @param inlen The length of the hash to sign - @param r The "r" integer of the signature (caller must initialize with mp_init() first) - @param s The "s" integer of the signature (caller must initialize with mp_init() first) - @param prng An active PRNG state - @param wprng The index of the PRNG desired - @param key A private ECC key - @return CRYPT_OK if successful -*/ -int ecc_sign_hash_raw(const unsigned char *in, unsigned long inlen, - void *r, void *s, - prng_state *prng, int wprng, ecc_key *key) +static int _ecc_sign_hash(const unsigned char *in, unsigned long inlen, + unsigned char *out, unsigned long *outlen, + prng_state *prng, int wprng, ecc_key *key, int sigformat) { ecc_key pubkey; - void *e, *p; - int err; + void *r, *s, *e, *p; + int err, max_iterations = PK_MAX_RETRIES; + unsigned long pbits, pbytes, i, shift_right; + unsigned char ch, buf[MAXBLOCKSIZE]; - LTC_ARGCHK(in != NULL); - LTC_ARGCHK(r != NULL); - LTC_ARGCHK(s != NULL); - LTC_ARGCHK(key != NULL); + LTC_ARGCHK(in != NULL); + LTC_ARGCHK(out != NULL); + LTC_ARGCHK(outlen != NULL); + LTC_ARGCHK(key != NULL); /* is this a private key? */ if (key->type != PK_PRIVATE) { @@ -59,46 +45,83 @@ int ecc_sign_hash_raw(const unsigned char *in, unsigned long inlen, return err; } - /* get the hash and load it as a bignum into 'e' */ /* init the bignums */ - if ((err = mp_init_multi(&p, &e, NULL)) != CRYPT_OK) { + if ((err = mp_init_multi(&r, &s, &p, &e, NULL)) != CRYPT_OK) { return err; } - if ((err = mp_read_radix(p, (char *)key->dp->order, 16)) != CRYPT_OK) { goto errnokey; } - if ((err = mp_read_unsigned_bin(e, (unsigned char *)in, (int)inlen)) != CRYPT_OK) { goto errnokey; } + if ((err = mp_read_radix(p, (char *)key->dp->order, 16)) != CRYPT_OK) { goto errnokey; } + + /* get the hash and load it as a bignum into 'e' */ + pbits = mp_count_bits(p); + pbytes = (pbits+7) >> 3; + if (pbits > inlen*8) { + if ((err = mp_read_unsigned_bin(e, (unsigned char *)in, inlen)) != CRYPT_OK) { goto errnokey; } + } + else if (pbits % 8 == 0) { + if ((err = mp_read_unsigned_bin(e, (unsigned char *)in, pbytes)) != CRYPT_OK) { goto errnokey; } + } + else { + shift_right = 8 - pbits % 8; + for (i=0, ch=0; i> shift_right); + } + if ((err = mp_read_unsigned_bin(e, (unsigned char *)buf, pbytes)) != CRYPT_OK) { goto errnokey; } + } /* make up a key and export the public copy */ - for (;;) { + do { if ((err = ecc_make_key_ex(prng, wprng, &pubkey, key->dp)) != CRYPT_OK) { goto errnokey; } /* find r = x1 mod n */ - if ((err = mp_mod(pubkey.pubkey.x, p, r)) != CRYPT_OK) { goto error; } + if ((err = mp_mod(pubkey.pubkey.x, p, r)) != CRYPT_OK) { goto error; } if (mp_iszero(r) == LTC_MP_YES) { ecc_free(&pubkey); } else { - /* find s = (e + xr)/k */ - if ((err = mp_invmod(pubkey.k, p, pubkey.k)) != CRYPT_OK) { goto error; } /* k = 1/k */ - if ((err = mp_mulmod(key->k, r, p, s)) != CRYPT_OK) { goto error; } /* s = xr */ - if ((err = mp_add(e, s, s)) != CRYPT_OK) { goto error; } /* s = e + xr */ - if ((err = mp_mod(s, p, s)) != CRYPT_OK) { goto error; } /* s = e + xr */ - if ((err = mp_mulmod(s, pubkey.k, p, s)) != CRYPT_OK) { goto error; } /* s = (e + xr)/k */ - ecc_free(&pubkey); - if (mp_iszero(s) == LTC_MP_NO) { - break; - } + /* find s = (e + xr)/k */ + if ((err = mp_invmod(pubkey.k, p, pubkey.k)) != CRYPT_OK) { goto error; } /* k = 1/k */ + if ((err = mp_mulmod(key->k, r, p, s)) != CRYPT_OK) { goto error; } /* s = xr */ + if ((err = mp_add(e, s, s)) != CRYPT_OK) { goto error; } /* s = e + xr */ + if ((err = mp_mod(s, p, s)) != CRYPT_OK) { goto error; } /* s = e + xr */ + if ((err = mp_mulmod(s, pubkey.k, p, s)) != CRYPT_OK) { goto error; } /* s = (e + xr)/k */ + ecc_free(&pubkey); + if (mp_iszero(s) == LTC_MP_NO) { + break; + } } + } while (--max_iterations > 0); + + if (max_iterations == 0) { + goto errnokey; } - err = CRYPT_OK; + if (sigformat == 1) { + /* RFC7518 format */ + if (*outlen < 2*pbytes) { err = CRYPT_MEM; goto errnokey; } + zeromem(out, 2*pbytes); + i = mp_unsigned_bin_size(r); + if ((err = mp_to_unsigned_bin(r, out + (pbytes - i))) != CRYPT_OK) { goto errnokey; } + i = mp_unsigned_bin_size(s); + if ((err = mp_to_unsigned_bin(s, out + (2*pbytes - i))) != CRYPT_OK) { goto errnokey; } + *outlen = 2*pbytes; + err = CRYPT_OK; + } + else { + /* store as ASN.1 SEQUENCE { r, s -- integer } */ + err = der_encode_sequence_multi(out, outlen, + LTC_ASN1_INTEGER, 1UL, r, + LTC_ASN1_INTEGER, 1UL, s, + LTC_ASN1_EOL, 0UL, NULL); + } goto errnokey; - error: ecc_free(&pubkey); errnokey: - mp_clear_multi(p, e, NULL); + mp_clear_multi(r, s, p, e, NULL); return err; } @@ -117,35 +140,29 @@ int ecc_sign_hash(const unsigned char *in, unsigned long inlen, unsigned char *out, unsigned long *outlen, prng_state *prng, int wprng, ecc_key *key) { - void *r, *s; - int err; + return _ecc_sign_hash(in, inlen, out, outlen, prng, wprng, key, 0); +} - LTC_ARGCHK(in != NULL); - LTC_ARGCHK(out != NULL); - LTC_ARGCHK(outlen != NULL); - LTC_ARGCHK(key != NULL); - - if (mp_init_multi(&r, &s, NULL) != CRYPT_OK) { - return CRYPT_MEM; - } - - if ((err = ecc_sign_hash_raw(in, inlen, r, s, prng, wprng, key)) != CRYPT_OK) { - goto error; - } - - /* store as SEQUENCE { r, s -- integer } */ - err = der_encode_sequence_multi(out, outlen, - LTC_ASN1_INTEGER, 1UL, r, - LTC_ASN1_INTEGER, 1UL, s, - LTC_ASN1_EOL, 0UL, NULL); - -error: - mp_clear_multi(r, s, NULL); - return err; +/** + Sign a message digest in RFC7518 format + @param in The message digest to sign + @param inlen The length of the digest + @param out [out] The destination for the signature + @param outlen [in/out] The max size and resulting size of the signature + @param prng An active PRNG state + @param wprng The index of the PRNG you wish to use + @param key A private ECC key + @return CRYPT_OK if successful +*/ +int ecc_sign_hash_rfc7518(const unsigned char *in, unsigned long inlen, + unsigned char *out, unsigned long *outlen, + prng_state *prng, int wprng, ecc_key *key) +{ + return _ecc_sign_hash(in, inlen, out, outlen, prng, wprng, key, 1); } #endif + /* ref: $Format:%D$ */ /* git commit: $Format:%H$ */ /* commit time: $Format:%ai$ */ - diff --git a/src/pk/ecc/ecc_verify_hash.c b/src/pk/ecc/ecc_verify_hash.c index 80a2a62..af17758 100644 --- a/src/pk/ecc/ecc_verify_hash.c +++ b/src/pk/ecc/ecc_verify_hash.c @@ -7,51 +7,27 @@ * guarantee it works. */ -/* Implements ECC over Z/pZ for curve y^2 = x^3 - 3x + b - * - * All curves taken from NIST recommendation paper of July 1999 - * Available at http://csrc.nist.gov/cryptval/dss.htm - */ #include "tomcrypt.h" +#ifdef LTC_MECC + /** @file ecc_verify_hash.c ECC Crypto, Tom St Denis */ -#ifdef LTC_MECC - -/* verify - * - * w = s^-1 mod n - * u1 = xw - * u2 = rw - * X = u1*G + u2*Q - * v = X_x1 mod n - * accept if v == r - */ - -/** - Verify a ECC signature - @param r ECC "r" parameter - @param s ECC "s" parameter - @param hash The hash that was signed - @param hashlen The length of the hash that was signed - @param stat [out] The result of the signature verification, 1==valid, 0==invalid - @param key The corresponding public DH key - @return CRYPT_OK if successful (even if the signature is invalid) -*/ -int ecc_verify_hash_raw( void *r, void *s, - const unsigned char *hash, unsigned long hashlen, - int *stat, ecc_key *key) +static int _ecc_verify_hash(const unsigned char *sig, unsigned long siglen, + const unsigned char *hash, unsigned long hashlen, + int *stat, ecc_key *key, int sigformat) { ecc_point *mG, *mQ; - void *v, *w, *u1, *u2, *e, *p, *m; - void *mp = NULL; + void *r, *s, *v, *w, *u1, *u2, *e, *p, *m; + void *mp; int err; + unsigned long pbits, pbytes, i, shift_right; + unsigned char ch, buf[MAXBLOCKSIZE]; - LTC_ARGCHK(r != NULL); - LTC_ARGCHK(s != NULL); + LTC_ARGCHK(sig != NULL); LTC_ARGCHK(hash != NULL); LTC_ARGCHK(stat != NULL); LTC_ARGCHK(key != NULL); @@ -66,7 +42,7 @@ int ecc_verify_hash_raw( void *r, void *s, } /* allocate ints */ - if ((err = mp_init_multi(&v, &w, &u1, &u2, &p, &e, &m, NULL)) != CRYPT_OK) { + if ((err = mp_init_multi(&r, &s, &v, &w, &u1, &u2, &p, &e, &m, NULL)) != CRYPT_OK) { return CRYPT_MEM; } @@ -78,6 +54,24 @@ int ecc_verify_hash_raw( void *r, void *s, goto error; } + if (sigformat == 1) { + /* RFC7518 format */ + if ((siglen % 2) == 1) { + err = CRYPT_INVALID_PACKET; + goto error; + } + i = siglen / 2; + if ((err = mp_read_unsigned_bin(r, (unsigned char *)sig, i)) != CRYPT_OK) { goto error; } + if ((err = mp_read_unsigned_bin(s, (unsigned char *)sig+i, i)) != CRYPT_OK) { goto error; } + } + else { + /* ASN.1 format */ + if ((err = der_decode_sequence_multi(sig, siglen, + LTC_ASN1_INTEGER, 1UL, r, + LTC_ASN1_INTEGER, 1UL, s, + LTC_ASN1_EOL, 0UL, NULL)) != CRYPT_OK) { goto error; } + } + /* get the order */ if ((err = mp_read_radix(p, (char *)key->dp->order, 16)) != CRYPT_OK) { goto error; } @@ -90,8 +84,24 @@ int ecc_verify_hash_raw( void *r, void *s, goto error; } - /* read hash */ - if ((err = mp_read_unsigned_bin(e, (unsigned char *)hash, (int)hashlen)) != CRYPT_OK) { goto error; } + /* read hash - truncate if needed */ + pbits = mp_count_bits(p); + pbytes = (pbits+7) >> 3; + if (pbits > hashlen*8) { + if ((err = mp_read_unsigned_bin(e, (unsigned char *)hash, hashlen)) != CRYPT_OK) { goto error; } + } + else if (pbits % 8 == 0) { + if ((err = mp_read_unsigned_bin(e, (unsigned char *)hash, pbytes)) != CRYPT_OK) { goto error; } + } + else { + shift_right = 8 - pbits % 8; + for (i=0, ch=0; i> shift_right); + } + if ((err = mp_read_unsigned_bin(e, (unsigned char *)buf, pbytes)) != CRYPT_OK) { goto error; } + } /* w = s^-1 mod n */ if ((err = mp_invmod(s, p, w)) != CRYPT_OK) { goto error; } @@ -142,7 +152,7 @@ int ecc_verify_hash_raw( void *r, void *s, error: ltc_ecc_del_point(mG); ltc_ecc_del_point(mQ); - mp_clear_multi(v, w, u1, u2, p, e, m, NULL); + mp_clear_multi(r, s, v, w, u1, u2, p, e, m, NULL); if (mp != NULL) { mp_montgomery_free(mp); } @@ -159,42 +169,32 @@ error: @param key The corresponding public ECC key @return CRYPT_OK if successful (even if the signature is not valid) */ - int ecc_verify_hash(const unsigned char *sig, unsigned long siglen, const unsigned char *hash, unsigned long hashlen, int *stat, ecc_key *key) { - void *r, *s; - int err; + return _ecc_verify_hash(sig, siglen, hash, hashlen, stat, key, 0); +} - LTC_ARGCHK(sig != NULL); - LTC_ARGCHK(hash != NULL); - LTC_ARGCHK(stat != NULL); - LTC_ARGCHK(key != NULL); - - /* allocate ints */ - if ((err = mp_init_multi(&r, &s, NULL)) != CRYPT_OK) { - return CRYPT_MEM; - } - - /* parse header */ - if ((err = der_decode_sequence_multi(sig, siglen, - LTC_ASN1_INTEGER, 1UL, r, - LTC_ASN1_INTEGER, 1UL, s, - LTC_ASN1_EOL, 0UL, NULL)) != CRYPT_OK) { - goto error; - } - - /* do the op */ - err = ecc_verify_hash_raw(r, s, hash, hashlen, stat, key); - -error: - mp_clear_multi(r, s, NULL); - return err; +/** + Verify an ECC signature in RFC7518 format + @param sig The signature to verify + @param siglen The length of the signature (octets) + @param hash The hash (message digest) that was signed + @param hashlen The length of the hash (octets) + @param stat Result of signature, 1==valid, 0==invalid + @param key The corresponding public ECC key + @return CRYPT_OK if successful (even if the signature is not valid) +*/ +int ecc_verify_hash_rfc7518(const unsigned char *sig, unsigned long siglen, + const unsigned char *hash, unsigned long hashlen, + int *stat, ecc_key *key) +{ + return _ecc_verify_hash(sig, siglen, hash, hashlen, stat, key, 1); } #endif + /* ref: $Format:%D$ */ /* git commit: $Format:%H$ */ /* commit time: $Format:%ai$ */ - diff --git a/tests/ecc_test.c b/tests/ecc_test.c index 7fb88d4..da981c3 100644 --- a/tests/ecc_test.c +++ b/tests/ecc_test.c @@ -230,6 +230,19 @@ int ecc_tests (void) fprintf(stderr, "ecc_verify_hash failed %d, %d, ", stat, stat2); return 1; } + /* test sign_hash_rfc7518 */ + for (ch = 0; ch < 16; ch++) { + buf[0][ch] = ch; + } + x = sizeof (buf[1]); + DO(ecc_sign_hash_rfc7518(buf[0], 16, buf[1], &x, &yarrow_prng, find_prng ("yarrow"), &privKey)); + DO(ecc_verify_hash_rfc7518(buf[1], x, buf[0], 16, &stat, &pubKey)); + buf[0][0] ^= 1; + DO(ecc_verify_hash_rfc7518(buf[1], x, buf[0], 16, &stat2, &privKey)); + if (!(stat == 1 && stat2 == 0)) { + fprintf(stderr, "ecc_verify_hash_rfc7518 failed %d, %d, ", stat, stat2); + return 1; + } ecc_free (&usera); ecc_free (&pubKey); ecc_free (&privKey);