ecc_sign+verify_hash_raw > ecc_sign+verify_hash_rfc7518

This commit is contained in:
Karel Miko 2017-06-21 12:11:35 +02:00
parent c14bcf4d30
commit 67200b641d
3 changed files with 154 additions and 144 deletions

View File

@ -314,15 +314,15 @@ int ecc_decrypt_key(const unsigned char *in, unsigned long inlen,
unsigned char *out, unsigned long *outlen,
ecc_key *key);
int ecc_sign_hash_raw(const unsigned char *in, unsigned long inlen,
void *r, void *s,
int ecc_sign_hash_rfc7518(const unsigned char *in, unsigned long inlen,
unsigned char *out, unsigned long *outlen,
prng_state *prng, int wprng, ecc_key *key);
int ecc_sign_hash(const unsigned char *in, unsigned long inlen,
unsigned char *out, unsigned long *outlen,
prng_state *prng, int wprng, ecc_key *key);
int ecc_verify_hash_raw( void *r, void *s,
int ecc_verify_hash_rfc7518(const unsigned char *sig, unsigned long siglen,
const unsigned char *hash, unsigned long hashlen,
int *stat, ecc_key *key);

View File

@ -7,42 +7,28 @@
* guarantee it works.
*/
/* Implements ECC over Z/pZ for curve y^2 = x^3 - 3x + b
*
* All curves taken from NIST recommendation paper of July 1999
* Available at http://csrc.nist.gov/cryptval/dss.htm
*/
#include "tomcrypt.h"
#ifdef LTC_MECC
/**
@file ecc_sign_hash.c
ECC Crypto, Tom St Denis
*/
#ifdef LTC_MECC
/**
Sign a hash with ECC
@param in The hash to sign
@param inlen The length of the hash to sign
@param r The "r" integer of the signature (caller must initialize with mp_init() first)
@param s The "s" integer of the signature (caller must initialize with mp_init() first)
@param prng An active PRNG state
@param wprng The index of the PRNG desired
@param key A private ECC key
@return CRYPT_OK if successful
*/
int ecc_sign_hash_raw(const unsigned char *in, unsigned long inlen,
void *r, void *s,
prng_state *prng, int wprng, ecc_key *key)
static int ecc_sign_hash_ex(const unsigned char *in, unsigned long inlen,
unsigned char *out, unsigned long *outlen,
prng_state *prng, int wprng, ecc_key *key, int sigformat)
{
ecc_key pubkey;
void *e, *p;
void *r, *s, *e, *p;
int err;
unsigned long pbits, pbytes, i, shift_right;
unsigned char ch, buf[MAXBLOCKSIZE];
LTC_ARGCHK(in != NULL);
LTC_ARGCHK(r != NULL);
LTC_ARGCHK(s != NULL);
LTC_ARGCHK(out != NULL);
LTC_ARGCHK(outlen != NULL);
LTC_ARGCHK(key != NULL);
/* is this a private key? */
@ -59,13 +45,30 @@ int ecc_sign_hash_raw(const unsigned char *in, unsigned long inlen,
return err;
}
/* get the hash and load it as a bignum into 'e' */
/* init the bignums */
if ((err = mp_init_multi(&p, &e, NULL)) != CRYPT_OK) {
if ((err = mp_init_multi(&r, &s, &p, &e, NULL)) != CRYPT_OK) {
return err;
}
if ((err = mp_read_radix(p, (char *)key->dp->order, 16)) != CRYPT_OK) { goto errnokey; }
if ((err = mp_read_unsigned_bin(e, (unsigned char *)in, (int)inlen)) != CRYPT_OK) { goto errnokey; }
/* get the hash and load it as a bignum into 'e' */
pbits = mp_count_bits(p);
pbytes = (pbits+7) >> 3;
if (pbits > inlen*8) {
if ((err = mp_read_unsigned_bin(e, (unsigned char *)in, inlen)) != CRYPT_OK) { goto errnokey; }
}
else if (pbits % 8 == 0) {
if ((err = mp_read_unsigned_bin(e, (unsigned char *)in, pbytes)) != CRYPT_OK) { goto errnokey; }
}
else {
shift_right = 8 - pbits % 8;
for (i=0, ch=0; i<pbytes; i++) {
buf[i] = ch;
ch = (in[i] << (8-shift_right));
buf[i] = buf[i] ^ (in[i] >> shift_right);
}
if ((err = mp_read_unsigned_bin(e, (unsigned char *)buf, pbytes)) != CRYPT_OK) { goto errnokey; }
}
/* make up a key and export the public copy */
for (;;) {
@ -92,13 +95,29 @@ int ecc_sign_hash_raw(const unsigned char *in, unsigned long inlen,
}
}
if (sigformat == 1) {
/* RFC7518 format */
if (*outlen < 2*pbytes) { err = CRYPT_MEM; goto errnokey; }
zeromem(out, 2*pbytes);
i = mp_unsigned_bin_size(r);
if ((err = mp_to_unsigned_bin(r, out + (pbytes - i))) != CRYPT_OK) { goto errnokey; }
i = mp_unsigned_bin_size(s);
if ((err = mp_to_unsigned_bin(s, out + (2*pbytes - i))) != CRYPT_OK) { goto errnokey; }
*outlen = 2*pbytes;
err = CRYPT_OK;
}
else {
/* store as ASN.1 SEQUENCE { r, s -- integer } */
err = der_encode_sequence_multi(out, outlen,
LTC_ASN1_INTEGER, 1UL, r,
LTC_ASN1_INTEGER, 1UL, s,
LTC_ASN1_EOL, 0UL, NULL);
}
goto errnokey;
error:
ecc_free(&pubkey);
errnokey:
mp_clear_multi(p, e, NULL);
mp_clear_multi(r, s, p, e, NULL);
return err;
}
@ -117,35 +136,29 @@ int ecc_sign_hash(const unsigned char *in, unsigned long inlen,
unsigned char *out, unsigned long *outlen,
prng_state *prng, int wprng, ecc_key *key)
{
void *r, *s;
int err;
return ecc_sign_hash_ex(in, inlen, out, outlen, prng, wprng, key, 0);
}
LTC_ARGCHK(in != NULL);
LTC_ARGCHK(out != NULL);
LTC_ARGCHK(outlen != NULL);
LTC_ARGCHK(key != NULL);
if (mp_init_multi(&r, &s, NULL) != CRYPT_OK) {
return CRYPT_MEM;
}
if ((err = ecc_sign_hash_raw(in, inlen, r, s, prng, wprng, key)) != CRYPT_OK) {
goto error;
}
/* store as SEQUENCE { r, s -- integer } */
err = der_encode_sequence_multi(out, outlen,
LTC_ASN1_INTEGER, 1UL, r,
LTC_ASN1_INTEGER, 1UL, s,
LTC_ASN1_EOL, 0UL, NULL);
error:
mp_clear_multi(r, s, NULL);
return err;
/**
Sign a message digest in RFC7518 format
@param in The message digest to sign
@param inlen The length of the digest
@param out [out] The destination for the signature
@param outlen [in/out] The max size and resulting size of the signature
@param prng An active PRNG state
@param wprng The index of the PRNG you wish to use
@param key A private ECC key
@return CRYPT_OK if successful
*/
int ecc_sign_hash_rfc7518(const unsigned char *in, unsigned long inlen,
unsigned char *out, unsigned long *outlen,
prng_state *prng, int wprng, ecc_key *key)
{
return ecc_sign_hash_ex(in, inlen, out, outlen, prng, wprng, key, 1);
}
#endif
/* ref: $Format:%D$ */
/* git commit: $Format:%H$ */
/* commit time: $Format:%ai$ */

View File

@ -7,51 +7,27 @@
* guarantee it works.
*/
/* Implements ECC over Z/pZ for curve y^2 = x^3 - 3x + b
*
* All curves taken from NIST recommendation paper of July 1999
* Available at http://csrc.nist.gov/cryptval/dss.htm
*/
#include "tomcrypt.h"
#ifdef LTC_MECC
/**
@file ecc_verify_hash.c
ECC Crypto, Tom St Denis
*/
#ifdef LTC_MECC
/* verify
*
* w = s^-1 mod n
* u1 = xw
* u2 = rw
* X = u1*G + u2*Q
* v = X_x1 mod n
* accept if v == r
*/
/**
Verify a ECC signature
@param r ECC "r" parameter
@param s ECC "s" parameter
@param hash The hash that was signed
@param hashlen The length of the hash that was signed
@param stat [out] The result of the signature verification, 1==valid, 0==invalid
@param key The corresponding public DH key
@return CRYPT_OK if successful (even if the signature is invalid)
*/
int ecc_verify_hash_raw( void *r, void *s,
static int ecc_verify_hash_ex(const unsigned char *sig, unsigned long siglen,
const unsigned char *hash, unsigned long hashlen,
int *stat, ecc_key *key)
int *stat, ecc_key *key, int sigformat)
{
ecc_point *mG, *mQ;
void *v, *w, *u1, *u2, *e, *p, *m;
void *mp = NULL;
void *r, *s, *v, *w, *u1, *u2, *e, *p, *m;
void *mp;
int err;
unsigned long pbits, pbytes, i, shift_right;
unsigned char ch, buf[MAXBLOCKSIZE];
LTC_ARGCHK(r != NULL);
LTC_ARGCHK(s != NULL);
LTC_ARGCHK(sig != NULL);
LTC_ARGCHK(hash != NULL);
LTC_ARGCHK(stat != NULL);
LTC_ARGCHK(key != NULL);
@ -66,7 +42,7 @@ int ecc_verify_hash_raw( void *r, void *s,
}
/* allocate ints */
if ((err = mp_init_multi(&v, &w, &u1, &u2, &p, &e, &m, NULL)) != CRYPT_OK) {
if ((err = mp_init_multi(&r, &s, &v, &w, &u1, &u2, &p, &e, &m, NULL)) != CRYPT_OK) {
return CRYPT_MEM;
}
@ -78,6 +54,24 @@ int ecc_verify_hash_raw( void *r, void *s,
goto error;
}
if (sigformat == 1) {
/* RFC7518 format */
if ((siglen % 2) == 1) {
err = CRYPT_INVALID_PACKET;
goto error;
}
i = siglen / 2;
if ((err = mp_read_unsigned_bin(r, (unsigned char *)sig, i)) != CRYPT_OK) { goto error; }
if ((err = mp_read_unsigned_bin(s, (unsigned char *)sig+i, i)) != CRYPT_OK) { goto error; }
}
else {
/* ASN.1 format */
if ((err = der_decode_sequence_multi(sig, siglen,
LTC_ASN1_INTEGER, 1UL, r,
LTC_ASN1_INTEGER, 1UL, s,
LTC_ASN1_EOL, 0UL, NULL)) != CRYPT_OK) { goto error; }
}
/* get the order */
if ((err = mp_read_radix(p, (char *)key->dp->order, 16)) != CRYPT_OK) { goto error; }
@ -90,8 +84,24 @@ int ecc_verify_hash_raw( void *r, void *s,
goto error;
}
/* read hash */
if ((err = mp_read_unsigned_bin(e, (unsigned char *)hash, (int)hashlen)) != CRYPT_OK) { goto error; }
/* read hash - truncate if needed */
pbits = mp_count_bits(p);
pbytes = (pbits+7) >> 3;
if (pbits > hashlen*8) {
if ((err = mp_read_unsigned_bin(e, (unsigned char *)hash, hashlen)) != CRYPT_OK) { goto error; }
}
else if (pbits % 8 == 0) {
if ((err = mp_read_unsigned_bin(e, (unsigned char *)hash, pbytes)) != CRYPT_OK) { goto error; }
}
else {
shift_right = 8 - pbits % 8;
for (i=0, ch=0; i<pbytes; i++) {
buf[i] = ch;
ch = (hash[i] << (8-shift_right));
buf[i] = buf[i] ^ (hash[i] >> shift_right);
}
if ((err = mp_read_unsigned_bin(e, (unsigned char *)buf, pbytes)) != CRYPT_OK) { goto error; }
}
/* w = s^-1 mod n */
if ((err = mp_invmod(s, p, w)) != CRYPT_OK) { goto error; }
@ -116,9 +126,6 @@ int ecc_verify_hash_raw( void *r, void *s,
if ((err = ltc_mp.ecc_ptmul(u1, mG, mG, m, 0)) != CRYPT_OK) { goto error; }
if ((err = ltc_mp.ecc_ptmul(u2, mQ, mQ, m, 0)) != CRYPT_OK) { goto error; }
/* find the montgomery mp */
if ((err = mp_montgomery_setup(m, &mp)) != CRYPT_OK) { goto error; }
/* add them */
if ((err = ltc_mp.ecc_ptadd(mQ, mG, mG, m, mp)) != CRYPT_OK) { goto error; }
@ -142,7 +149,7 @@ int ecc_verify_hash_raw( void *r, void *s,
error:
ltc_ecc_del_point(mG);
ltc_ecc_del_point(mQ);
mp_clear_multi(v, w, u1, u2, p, e, m, NULL);
mp_clear_multi(r, s, v, w, u1, u2, p, e, m, NULL);
if (mp != NULL) {
mp_montgomery_free(mp);
}
@ -159,42 +166,32 @@ error:
@param key The corresponding public ECC key
@return CRYPT_OK if successful (even if the signature is not valid)
*/
int ecc_verify_hash(const unsigned char *sig, unsigned long siglen,
const unsigned char *hash, unsigned long hashlen,
int *stat, ecc_key *key)
{
void *r, *s;
int err;
return ecc_verify_hash_ex(sig, siglen, hash, hashlen, stat, key, 0);
}
LTC_ARGCHK(sig != NULL);
LTC_ARGCHK(hash != NULL);
LTC_ARGCHK(stat != NULL);
LTC_ARGCHK(key != NULL);
/* allocate ints */
if ((err = mp_init_multi(&r, &s, NULL)) != CRYPT_OK) {
return CRYPT_MEM;
}
/* parse header */
if ((err = der_decode_sequence_multi(sig, siglen,
LTC_ASN1_INTEGER, 1UL, r,
LTC_ASN1_INTEGER, 1UL, s,
LTC_ASN1_EOL, 0UL, NULL)) != CRYPT_OK) {
goto error;
}
/* do the op */
err = ecc_verify_hash_raw(r, s, hash, hashlen, stat, key);
error:
mp_clear_multi(r, s, NULL);
return err;
/**
Verify an ECC signature in RFC7518 format
@param sig The signature to verify
@param siglen The length of the signature (octets)
@param hash The hash (message digest) that was signed
@param hashlen The length of the hash (octets)
@param stat Result of signature, 1==valid, 0==invalid
@param key The corresponding public ECC key
@return CRYPT_OK if successful (even if the signature is not valid)
*/
int ecc_verify_hash_rfc7518(const unsigned char *sig, unsigned long siglen,
const unsigned char *hash, unsigned long hashlen,
int *stat, ecc_key *key)
{
return ecc_verify_hash_ex(sig, siglen, hash, hashlen, stat, key, 1);
}
#endif
/* ref: $Format:%D$ */
/* git commit: $Format:%H$ */
/* commit time: $Format:%ai$ */