ecc_sign+verify_hash_raw > ecc_sign+verify_hash_rfc7518

This commit is contained in:
Karel Miko 2017-06-21 12:11:35 +02:00
parent c14bcf4d30
commit 67200b641d
3 changed files with 154 additions and 144 deletions

View File

@ -314,17 +314,17 @@ int ecc_decrypt_key(const unsigned char *in, unsigned long inlen,
unsigned char *out, unsigned long *outlen, unsigned char *out, unsigned long *outlen,
ecc_key *key); ecc_key *key);
int ecc_sign_hash_raw(const unsigned char *in, unsigned long inlen, int ecc_sign_hash_rfc7518(const unsigned char *in, unsigned long inlen,
void *r, void *s, unsigned char *out, unsigned long *outlen,
prng_state *prng, int wprng, ecc_key *key); prng_state *prng, int wprng, ecc_key *key);
int ecc_sign_hash(const unsigned char *in, unsigned long inlen, int ecc_sign_hash(const unsigned char *in, unsigned long inlen,
unsigned char *out, unsigned long *outlen, unsigned char *out, unsigned long *outlen,
prng_state *prng, int wprng, ecc_key *key); prng_state *prng, int wprng, ecc_key *key);
int ecc_verify_hash_raw( void *r, void *s, int ecc_verify_hash_rfc7518(const unsigned char *sig, unsigned long siglen,
const unsigned char *hash, unsigned long hashlen, const unsigned char *hash, unsigned long hashlen,
int *stat, ecc_key *key); int *stat, ecc_key *key);
int ecc_verify_hash(const unsigned char *sig, unsigned long siglen, int ecc_verify_hash(const unsigned char *sig, unsigned long siglen,
const unsigned char *hash, unsigned long hashlen, const unsigned char *hash, unsigned long hashlen,

View File

@ -7,43 +7,29 @@
* guarantee it works. * guarantee it works.
*/ */
/* Implements ECC over Z/pZ for curve y^2 = x^3 - 3x + b
*
* All curves taken from NIST recommendation paper of July 1999
* Available at http://csrc.nist.gov/cryptval/dss.htm
*/
#include "tomcrypt.h" #include "tomcrypt.h"
#ifdef LTC_MECC
/** /**
@file ecc_sign_hash.c @file ecc_sign_hash.c
ECC Crypto, Tom St Denis ECC Crypto, Tom St Denis
*/ */
#ifdef LTC_MECC static int ecc_sign_hash_ex(const unsigned char *in, unsigned long inlen,
unsigned char *out, unsigned long *outlen,
/** prng_state *prng, int wprng, ecc_key *key, int sigformat)
Sign a hash with ECC
@param in The hash to sign
@param inlen The length of the hash to sign
@param r The "r" integer of the signature (caller must initialize with mp_init() first)
@param s The "s" integer of the signature (caller must initialize with mp_init() first)
@param prng An active PRNG state
@param wprng The index of the PRNG desired
@param key A private ECC key
@return CRYPT_OK if successful
*/
int ecc_sign_hash_raw(const unsigned char *in, unsigned long inlen,
void *r, void *s,
prng_state *prng, int wprng, ecc_key *key)
{ {
ecc_key pubkey; ecc_key pubkey;
void *e, *p; void *r, *s, *e, *p;
int err; int err;
unsigned long pbits, pbytes, i, shift_right;
unsigned char ch, buf[MAXBLOCKSIZE];
LTC_ARGCHK(in != NULL); LTC_ARGCHK(in != NULL);
LTC_ARGCHK(r != NULL); LTC_ARGCHK(out != NULL);
LTC_ARGCHK(s != NULL); LTC_ARGCHK(outlen != NULL);
LTC_ARGCHK(key != NULL); LTC_ARGCHK(key != NULL);
/* is this a private key? */ /* is this a private key? */
if (key->type != PK_PRIVATE) { if (key->type != PK_PRIVATE) {
@ -59,13 +45,30 @@ int ecc_sign_hash_raw(const unsigned char *in, unsigned long inlen,
return err; return err;
} }
/* get the hash and load it as a bignum into 'e' */
/* init the bignums */ /* init the bignums */
if ((err = mp_init_multi(&p, &e, NULL)) != CRYPT_OK) { if ((err = mp_init_multi(&r, &s, &p, &e, NULL)) != CRYPT_OK) {
return err; return err;
} }
if ((err = mp_read_radix(p, (char *)key->dp->order, 16)) != CRYPT_OK) { goto errnokey; } if ((err = mp_read_radix(p, (char *)key->dp->order, 16)) != CRYPT_OK) { goto errnokey; }
if ((err = mp_read_unsigned_bin(e, (unsigned char *)in, (int)inlen)) != CRYPT_OK) { goto errnokey; }
/* get the hash and load it as a bignum into 'e' */
pbits = mp_count_bits(p);
pbytes = (pbits+7) >> 3;
if (pbits > inlen*8) {
if ((err = mp_read_unsigned_bin(e, (unsigned char *)in, inlen)) != CRYPT_OK) { goto errnokey; }
}
else if (pbits % 8 == 0) {
if ((err = mp_read_unsigned_bin(e, (unsigned char *)in, pbytes)) != CRYPT_OK) { goto errnokey; }
}
else {
shift_right = 8 - pbits % 8;
for (i=0, ch=0; i<pbytes; i++) {
buf[i] = ch;
ch = (in[i] << (8-shift_right));
buf[i] = buf[i] ^ (in[i] >> shift_right);
}
if ((err = mp_read_unsigned_bin(e, (unsigned char *)buf, pbytes)) != CRYPT_OK) { goto errnokey; }
}
/* make up a key and export the public copy */ /* make up a key and export the public copy */
for (;;) { for (;;) {
@ -74,31 +77,47 @@ int ecc_sign_hash_raw(const unsigned char *in, unsigned long inlen,
} }
/* find r = x1 mod n */ /* find r = x1 mod n */
if ((err = mp_mod(pubkey.pubkey.x, p, r)) != CRYPT_OK) { goto error; } if ((err = mp_mod(pubkey.pubkey.x, p, r)) != CRYPT_OK) { goto error; }
if (mp_iszero(r) == LTC_MP_YES) { if (mp_iszero(r) == LTC_MP_YES) {
ecc_free(&pubkey); ecc_free(&pubkey);
} else { } else {
/* find s = (e + xr)/k */ /* find s = (e + xr)/k */
if ((err = mp_invmod(pubkey.k, p, pubkey.k)) != CRYPT_OK) { goto error; } /* k = 1/k */ if ((err = mp_invmod(pubkey.k, p, pubkey.k)) != CRYPT_OK) { goto error; } /* k = 1/k */
if ((err = mp_mulmod(key->k, r, p, s)) != CRYPT_OK) { goto error; } /* s = xr */ if ((err = mp_mulmod(key->k, r, p, s)) != CRYPT_OK) { goto error; } /* s = xr */
if ((err = mp_add(e, s, s)) != CRYPT_OK) { goto error; } /* s = e + xr */ if ((err = mp_add(e, s, s)) != CRYPT_OK) { goto error; } /* s = e + xr */
if ((err = mp_mod(s, p, s)) != CRYPT_OK) { goto error; } /* s = e + xr */ if ((err = mp_mod(s, p, s)) != CRYPT_OK) { goto error; } /* s = e + xr */
if ((err = mp_mulmod(s, pubkey.k, p, s)) != CRYPT_OK) { goto error; } /* s = (e + xr)/k */ if ((err = mp_mulmod(s, pubkey.k, p, s)) != CRYPT_OK) { goto error; } /* s = (e + xr)/k */
ecc_free(&pubkey); ecc_free(&pubkey);
if (mp_iszero(s) == LTC_MP_NO) { if (mp_iszero(s) == LTC_MP_NO) {
break; break;
} }
} }
} }
err = CRYPT_OK; if (sigformat == 1) {
/* RFC7518 format */
if (*outlen < 2*pbytes) { err = CRYPT_MEM; goto errnokey; }
zeromem(out, 2*pbytes);
i = mp_unsigned_bin_size(r);
if ((err = mp_to_unsigned_bin(r, out + (pbytes - i))) != CRYPT_OK) { goto errnokey; }
i = mp_unsigned_bin_size(s);
if ((err = mp_to_unsigned_bin(s, out + (2*pbytes - i))) != CRYPT_OK) { goto errnokey; }
*outlen = 2*pbytes;
err = CRYPT_OK;
}
else {
/* store as ASN.1 SEQUENCE { r, s -- integer } */
err = der_encode_sequence_multi(out, outlen,
LTC_ASN1_INTEGER, 1UL, r,
LTC_ASN1_INTEGER, 1UL, s,
LTC_ASN1_EOL, 0UL, NULL);
}
goto errnokey; goto errnokey;
error: error:
ecc_free(&pubkey); ecc_free(&pubkey);
errnokey: errnokey:
mp_clear_multi(p, e, NULL); mp_clear_multi(r, s, p, e, NULL);
return err; return err;
} }
@ -117,35 +136,29 @@ int ecc_sign_hash(const unsigned char *in, unsigned long inlen,
unsigned char *out, unsigned long *outlen, unsigned char *out, unsigned long *outlen,
prng_state *prng, int wprng, ecc_key *key) prng_state *prng, int wprng, ecc_key *key)
{ {
void *r, *s; return ecc_sign_hash_ex(in, inlen, out, outlen, prng, wprng, key, 0);
int err; }
LTC_ARGCHK(in != NULL); /**
LTC_ARGCHK(out != NULL); Sign a message digest in RFC7518 format
LTC_ARGCHK(outlen != NULL); @param in The message digest to sign
LTC_ARGCHK(key != NULL); @param inlen The length of the digest
@param out [out] The destination for the signature
if (mp_init_multi(&r, &s, NULL) != CRYPT_OK) { @param outlen [in/out] The max size and resulting size of the signature
return CRYPT_MEM; @param prng An active PRNG state
} @param wprng The index of the PRNG you wish to use
@param key A private ECC key
if ((err = ecc_sign_hash_raw(in, inlen, r, s, prng, wprng, key)) != CRYPT_OK) { @return CRYPT_OK if successful
goto error; */
} int ecc_sign_hash_rfc7518(const unsigned char *in, unsigned long inlen,
unsigned char *out, unsigned long *outlen,
/* store as SEQUENCE { r, s -- integer } */ prng_state *prng, int wprng, ecc_key *key)
err = der_encode_sequence_multi(out, outlen, {
LTC_ASN1_INTEGER, 1UL, r, return ecc_sign_hash_ex(in, inlen, out, outlen, prng, wprng, key, 1);
LTC_ASN1_INTEGER, 1UL, s,
LTC_ASN1_EOL, 0UL, NULL);
error:
mp_clear_multi(r, s, NULL);
return err;
} }
#endif #endif
/* ref: $Format:%D$ */ /* ref: $Format:%D$ */
/* git commit: $Format:%H$ */ /* git commit: $Format:%H$ */
/* commit time: $Format:%ai$ */ /* commit time: $Format:%ai$ */

View File

@ -7,51 +7,27 @@
* guarantee it works. * guarantee it works.
*/ */
/* Implements ECC over Z/pZ for curve y^2 = x^3 - 3x + b
*
* All curves taken from NIST recommendation paper of July 1999
* Available at http://csrc.nist.gov/cryptval/dss.htm
*/
#include "tomcrypt.h" #include "tomcrypt.h"
#ifdef LTC_MECC
/** /**
@file ecc_verify_hash.c @file ecc_verify_hash.c
ECC Crypto, Tom St Denis ECC Crypto, Tom St Denis
*/ */
#ifdef LTC_MECC static int ecc_verify_hash_ex(const unsigned char *sig, unsigned long siglen,
const unsigned char *hash, unsigned long hashlen,
/* verify int *stat, ecc_key *key, int sigformat)
*
* w = s^-1 mod n
* u1 = xw
* u2 = rw
* X = u1*G + u2*Q
* v = X_x1 mod n
* accept if v == r
*/
/**
Verify a ECC signature
@param r ECC "r" parameter
@param s ECC "s" parameter
@param hash The hash that was signed
@param hashlen The length of the hash that was signed
@param stat [out] The result of the signature verification, 1==valid, 0==invalid
@param key The corresponding public DH key
@return CRYPT_OK if successful (even if the signature is invalid)
*/
int ecc_verify_hash_raw( void *r, void *s,
const unsigned char *hash, unsigned long hashlen,
int *stat, ecc_key *key)
{ {
ecc_point *mG, *mQ; ecc_point *mG, *mQ;
void *v, *w, *u1, *u2, *e, *p, *m; void *r, *s, *v, *w, *u1, *u2, *e, *p, *m;
void *mp = NULL; void *mp;
int err; int err;
unsigned long pbits, pbytes, i, shift_right;
unsigned char ch, buf[MAXBLOCKSIZE];
LTC_ARGCHK(r != NULL); LTC_ARGCHK(sig != NULL);
LTC_ARGCHK(s != NULL);
LTC_ARGCHK(hash != NULL); LTC_ARGCHK(hash != NULL);
LTC_ARGCHK(stat != NULL); LTC_ARGCHK(stat != NULL);
LTC_ARGCHK(key != NULL); LTC_ARGCHK(key != NULL);
@ -66,7 +42,7 @@ int ecc_verify_hash_raw( void *r, void *s,
} }
/* allocate ints */ /* allocate ints */
if ((err = mp_init_multi(&v, &w, &u1, &u2, &p, &e, &m, NULL)) != CRYPT_OK) { if ((err = mp_init_multi(&r, &s, &v, &w, &u1, &u2, &p, &e, &m, NULL)) != CRYPT_OK) {
return CRYPT_MEM; return CRYPT_MEM;
} }
@ -78,6 +54,24 @@ int ecc_verify_hash_raw( void *r, void *s,
goto error; goto error;
} }
if (sigformat == 1) {
/* RFC7518 format */
if ((siglen % 2) == 1) {
err = CRYPT_INVALID_PACKET;
goto error;
}
i = siglen / 2;
if ((err = mp_read_unsigned_bin(r, (unsigned char *)sig, i)) != CRYPT_OK) { goto error; }
if ((err = mp_read_unsigned_bin(s, (unsigned char *)sig+i, i)) != CRYPT_OK) { goto error; }
}
else {
/* ASN.1 format */
if ((err = der_decode_sequence_multi(sig, siglen,
LTC_ASN1_INTEGER, 1UL, r,
LTC_ASN1_INTEGER, 1UL, s,
LTC_ASN1_EOL, 0UL, NULL)) != CRYPT_OK) { goto error; }
}
/* get the order */ /* get the order */
if ((err = mp_read_radix(p, (char *)key->dp->order, 16)) != CRYPT_OK) { goto error; } if ((err = mp_read_radix(p, (char *)key->dp->order, 16)) != CRYPT_OK) { goto error; }
@ -90,8 +84,24 @@ int ecc_verify_hash_raw( void *r, void *s,
goto error; goto error;
} }
/* read hash */ /* read hash - truncate if needed */
if ((err = mp_read_unsigned_bin(e, (unsigned char *)hash, (int)hashlen)) != CRYPT_OK) { goto error; } pbits = mp_count_bits(p);
pbytes = (pbits+7) >> 3;
if (pbits > hashlen*8) {
if ((err = mp_read_unsigned_bin(e, (unsigned char *)hash, hashlen)) != CRYPT_OK) { goto error; }
}
else if (pbits % 8 == 0) {
if ((err = mp_read_unsigned_bin(e, (unsigned char *)hash, pbytes)) != CRYPT_OK) { goto error; }
}
else {
shift_right = 8 - pbits % 8;
for (i=0, ch=0; i<pbytes; i++) {
buf[i] = ch;
ch = (hash[i] << (8-shift_right));
buf[i] = buf[i] ^ (hash[i] >> shift_right);
}
if ((err = mp_read_unsigned_bin(e, (unsigned char *)buf, pbytes)) != CRYPT_OK) { goto error; }
}
/* w = s^-1 mod n */ /* w = s^-1 mod n */
if ((err = mp_invmod(s, p, w)) != CRYPT_OK) { goto error; } if ((err = mp_invmod(s, p, w)) != CRYPT_OK) { goto error; }
@ -116,9 +126,6 @@ int ecc_verify_hash_raw( void *r, void *s,
if ((err = ltc_mp.ecc_ptmul(u1, mG, mG, m, 0)) != CRYPT_OK) { goto error; } if ((err = ltc_mp.ecc_ptmul(u1, mG, mG, m, 0)) != CRYPT_OK) { goto error; }
if ((err = ltc_mp.ecc_ptmul(u2, mQ, mQ, m, 0)) != CRYPT_OK) { goto error; } if ((err = ltc_mp.ecc_ptmul(u2, mQ, mQ, m, 0)) != CRYPT_OK) { goto error; }
/* find the montgomery mp */
if ((err = mp_montgomery_setup(m, &mp)) != CRYPT_OK) { goto error; }
/* add them */ /* add them */
if ((err = ltc_mp.ecc_ptadd(mQ, mG, mG, m, mp)) != CRYPT_OK) { goto error; } if ((err = ltc_mp.ecc_ptadd(mQ, mG, mG, m, mp)) != CRYPT_OK) { goto error; }
@ -142,7 +149,7 @@ int ecc_verify_hash_raw( void *r, void *s,
error: error:
ltc_ecc_del_point(mG); ltc_ecc_del_point(mG);
ltc_ecc_del_point(mQ); ltc_ecc_del_point(mQ);
mp_clear_multi(v, w, u1, u2, p, e, m, NULL); mp_clear_multi(r, s, v, w, u1, u2, p, e, m, NULL);
if (mp != NULL) { if (mp != NULL) {
mp_montgomery_free(mp); mp_montgomery_free(mp);
} }
@ -159,42 +166,32 @@ error:
@param key The corresponding public ECC key @param key The corresponding public ECC key
@return CRYPT_OK if successful (even if the signature is not valid) @return CRYPT_OK if successful (even if the signature is not valid)
*/ */
int ecc_verify_hash(const unsigned char *sig, unsigned long siglen, int ecc_verify_hash(const unsigned char *sig, unsigned long siglen,
const unsigned char *hash, unsigned long hashlen, const unsigned char *hash, unsigned long hashlen,
int *stat, ecc_key *key) int *stat, ecc_key *key)
{ {
void *r, *s; return ecc_verify_hash_ex(sig, siglen, hash, hashlen, stat, key, 0);
int err; }
LTC_ARGCHK(sig != NULL); /**
LTC_ARGCHK(hash != NULL); Verify an ECC signature in RFC7518 format
LTC_ARGCHK(stat != NULL); @param sig The signature to verify
LTC_ARGCHK(key != NULL); @param siglen The length of the signature (octets)
@param hash The hash (message digest) that was signed
/* allocate ints */ @param hashlen The length of the hash (octets)
if ((err = mp_init_multi(&r, &s, NULL)) != CRYPT_OK) { @param stat Result of signature, 1==valid, 0==invalid
return CRYPT_MEM; @param key The corresponding public ECC key
} @return CRYPT_OK if successful (even if the signature is not valid)
*/
/* parse header */ int ecc_verify_hash_rfc7518(const unsigned char *sig, unsigned long siglen,
if ((err = der_decode_sequence_multi(sig, siglen, const unsigned char *hash, unsigned long hashlen,
LTC_ASN1_INTEGER, 1UL, r, int *stat, ecc_key *key)
LTC_ASN1_INTEGER, 1UL, s, {
LTC_ASN1_EOL, 0UL, NULL)) != CRYPT_OK) { return ecc_verify_hash_ex(sig, siglen, hash, hashlen, stat, key, 1);
goto error;
}
/* do the op */
err = ecc_verify_hash_raw(r, s, hash, hashlen, stat, key);
error:
mp_clear_multi(r, s, NULL);
return err;
} }
#endif #endif
/* ref: $Format:%D$ */ /* ref: $Format:%D$ */
/* git commit: $Format:%H$ */ /* git commit: $Format:%H$ */
/* commit time: $Format:%ai$ */ /* commit time: $Format:%ai$ */