1 /*
2 * Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 #include <openssl/ecdsa.h>
11
12 #include <limits.h>
13 #include <string.h>
14
15 #include <openssl/bn.h>
16 #include <openssl/bytestring.h>
17 #include <openssl/ec_key.h>
18 #include <openssl/err.h>
19 #include <openssl/mem.h>
20
21 #include "../bytestring/internal.h"
22 #include "../fipsmodule/ecdsa/internal.h"
23 #include "../internal.h"
24
25
ecdsa_sig_from_fixed(const EC_KEY * key,const uint8_t * in,size_t len)26 static ECDSA_SIG *ecdsa_sig_from_fixed(const EC_KEY *key, const uint8_t *in,
27 size_t len) {
28 const EC_GROUP *group = EC_KEY_get0_group(key);
29 if (group == NULL) {
30 OPENSSL_PUT_ERROR(ECDSA, ERR_R_PASSED_NULL_PARAMETER);
31 return NULL;
32 }
33 size_t scalar_len = BN_num_bytes(EC_GROUP_get0_order(group));
34 if (len != 2 * scalar_len) {
35 OPENSSL_PUT_ERROR(ECDSA, ECDSA_R_BAD_SIGNATURE);
36 return NULL;
37 }
38 ECDSA_SIG *ret = ECDSA_SIG_new();
39 if (ret == NULL || !BN_bin2bn(in, scalar_len, ret->r) ||
40 !BN_bin2bn(in + scalar_len, scalar_len, ret->s)) {
41 ECDSA_SIG_free(ret);
42 return NULL;
43 }
44 return ret;
45 }
46
ecdsa_sig_to_fixed(const EC_KEY * key,uint8_t * out,size_t * out_len,size_t max_out,const ECDSA_SIG * sig)47 static int ecdsa_sig_to_fixed(const EC_KEY *key, uint8_t *out, size_t *out_len,
48 size_t max_out, const ECDSA_SIG *sig) {
49 const EC_GROUP *group = EC_KEY_get0_group(key);
50 if (group == NULL) {
51 OPENSSL_PUT_ERROR(ECDSA, ERR_R_PASSED_NULL_PARAMETER);
52 return 0;
53 }
54 size_t scalar_len = BN_num_bytes(EC_GROUP_get0_order(group));
55 if (max_out < 2 * scalar_len) {
56 OPENSSL_PUT_ERROR(EC, EC_R_BUFFER_TOO_SMALL);
57 return 0;
58 }
59 if (BN_is_negative(sig->r) || !BN_bn2bin_padded(out, scalar_len, sig->r) ||
60 BN_is_negative(sig->s) ||
61 !BN_bn2bin_padded(out + scalar_len, scalar_len, sig->s)) {
62 OPENSSL_PUT_ERROR(ECDSA, ECDSA_R_BAD_SIGNATURE);
63 return 0;
64 }
65 *out_len = 2 * scalar_len;
66 return 1;
67 }
68
ECDSA_sign(int type,const uint8_t * digest,size_t digest_len,uint8_t * sig,unsigned int * out_sig_len,const EC_KEY * eckey)69 int ECDSA_sign(int type, const uint8_t *digest, size_t digest_len, uint8_t *sig,
70 unsigned int *out_sig_len, const EC_KEY *eckey) {
71 if (eckey->ecdsa_meth && eckey->ecdsa_meth->sign) {
72 return eckey->ecdsa_meth->sign(digest, digest_len, sig, out_sig_len,
73 (EC_KEY *)eckey /* cast away const */);
74 }
75
76 *out_sig_len = 0;
77 uint8_t fixed[ECDSA_MAX_FIXED_LEN];
78 size_t fixed_len;
79 if (!ecdsa_sign_fixed(digest, digest_len, fixed, &fixed_len, sizeof(fixed),
80 eckey)) {
81 return 0;
82 }
83
84 // TODO(davidben): We can actually do better and go straight from the DER
85 // format to the fixed-width format without a malloc.
86 ECDSA_SIG *s = ecdsa_sig_from_fixed(eckey, fixed, fixed_len);
87 if (s == NULL) {
88 return 0;
89 }
90
91 int ret = 0;
92 CBB cbb;
93 CBB_init_fixed(&cbb, sig, ECDSA_size(eckey));
94 size_t len;
95 if (!ECDSA_SIG_marshal(&cbb, s) || !CBB_finish(&cbb, NULL, &len)) {
96 OPENSSL_PUT_ERROR(ECDSA, ECDSA_R_ENCODE_ERROR);
97 goto err;
98 }
99 *out_sig_len = (unsigned)len;
100 ret = 1;
101
102 err:
103 ECDSA_SIG_free(s);
104 return ret;
105 }
106
ECDSA_verify(int type,const uint8_t * digest,size_t digest_len,const uint8_t * sig,size_t sig_len,const EC_KEY * eckey)107 int ECDSA_verify(int type, const uint8_t *digest, size_t digest_len,
108 const uint8_t *sig, size_t sig_len, const EC_KEY *eckey) {
109 // Decode the ECDSA signature.
110 //
111 // TODO(davidben): We can actually do better and go straight from the DER
112 // format to the fixed-width format without a malloc.
113 int ret = 0;
114 uint8_t *der = NULL;
115 ECDSA_SIG *s = ECDSA_SIG_from_bytes(sig, sig_len);
116 if (s == NULL) {
117 goto err;
118 }
119
120 // Defend against potential laxness in the DER parser.
121 size_t der_len;
122 if (!ECDSA_SIG_to_bytes(&der, &der_len, s) || der_len != sig_len ||
123 OPENSSL_memcmp(sig, der, sig_len) != 0) {
124 // This should never happen. crypto/bytestring is strictly DER.
125 OPENSSL_PUT_ERROR(ECDSA, ERR_R_INTERNAL_ERROR);
126 goto err;
127 }
128
129 uint8_t fixed[ECDSA_MAX_FIXED_LEN];
130 size_t fixed_len;
131 ret = ecdsa_sig_to_fixed(eckey, fixed, &fixed_len, sizeof(fixed), s) &&
132 ecdsa_verify_fixed(digest, digest_len, fixed, fixed_len, eckey);
133
134 err:
135 OPENSSL_free(der);
136 ECDSA_SIG_free(s);
137 return ret;
138 }
139
140
ECDSA_size(const EC_KEY * key)141 size_t ECDSA_size(const EC_KEY *key) {
142 if (key == NULL) {
143 return 0;
144 }
145
146 size_t group_order_size;
147 if (key->ecdsa_meth && key->ecdsa_meth->group_order_size) {
148 group_order_size = key->ecdsa_meth->group_order_size(key);
149 } else {
150 const EC_GROUP *group = EC_KEY_get0_group(key);
151 if (group == NULL) {
152 return 0;
153 }
154
155 group_order_size = BN_num_bytes(EC_GROUP_get0_order(group));
156 }
157
158 return ECDSA_SIG_max_len(group_order_size);
159 }
160
ECDSA_SIG_new(void)161 ECDSA_SIG *ECDSA_SIG_new(void) {
162 ECDSA_SIG *sig =
163 reinterpret_cast<ECDSA_SIG *>(OPENSSL_malloc(sizeof(ECDSA_SIG)));
164 if (sig == NULL) {
165 return NULL;
166 }
167 sig->r = BN_new();
168 sig->s = BN_new();
169 if (sig->r == NULL || sig->s == NULL) {
170 ECDSA_SIG_free(sig);
171 return NULL;
172 }
173 return sig;
174 }
175
ECDSA_SIG_free(ECDSA_SIG * sig)176 void ECDSA_SIG_free(ECDSA_SIG *sig) {
177 if (sig == NULL) {
178 return;
179 }
180
181 BN_free(sig->r);
182 BN_free(sig->s);
183 OPENSSL_free(sig);
184 }
185
ECDSA_SIG_get0_r(const ECDSA_SIG * sig)186 const BIGNUM *ECDSA_SIG_get0_r(const ECDSA_SIG *sig) { return sig->r; }
187
ECDSA_SIG_get0_s(const ECDSA_SIG * sig)188 const BIGNUM *ECDSA_SIG_get0_s(const ECDSA_SIG *sig) { return sig->s; }
189
ECDSA_SIG_get0(const ECDSA_SIG * sig,const BIGNUM ** out_r,const BIGNUM ** out_s)190 void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **out_r,
191 const BIGNUM **out_s) {
192 if (out_r != NULL) {
193 *out_r = sig->r;
194 }
195 if (out_s != NULL) {
196 *out_s = sig->s;
197 }
198 }
199
ECDSA_SIG_set0(ECDSA_SIG * sig,BIGNUM * r,BIGNUM * s)200 int ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s) {
201 if (r == NULL || s == NULL) {
202 return 0;
203 }
204 BN_free(sig->r);
205 BN_free(sig->s);
206 sig->r = r;
207 sig->s = s;
208 return 1;
209 }
210
ECDSA_do_verify(const uint8_t * digest,size_t digest_len,const ECDSA_SIG * sig,const EC_KEY * eckey)211 int ECDSA_do_verify(const uint8_t *digest, size_t digest_len,
212 const ECDSA_SIG *sig, const EC_KEY *eckey) {
213 uint8_t fixed[ECDSA_MAX_FIXED_LEN];
214 size_t fixed_len;
215 return ecdsa_sig_to_fixed(eckey, fixed, &fixed_len, sizeof(fixed), sig) &&
216 ecdsa_verify_fixed(digest, digest_len, fixed, fixed_len, eckey);
217 }
218
219 // This function is only exported for testing and is not called in production
220 // code.
ECDSA_sign_with_nonce_and_leak_private_key_for_testing(const uint8_t * digest,size_t digest_len,const EC_KEY * eckey,const uint8_t * nonce,size_t nonce_len)221 ECDSA_SIG *ECDSA_sign_with_nonce_and_leak_private_key_for_testing(
222 const uint8_t *digest, size_t digest_len, const EC_KEY *eckey,
223 const uint8_t *nonce, size_t nonce_len) {
224 uint8_t sig[ECDSA_MAX_FIXED_LEN];
225 size_t sig_len;
226 if (!ecdsa_sign_fixed_with_nonce_for_known_answer_test(
227 digest, digest_len, sig, &sig_len, sizeof(sig), eckey, nonce,
228 nonce_len)) {
229 return NULL;
230 }
231
232 return ecdsa_sig_from_fixed(eckey, sig, sig_len);
233 }
234
ECDSA_do_sign(const uint8_t * digest,size_t digest_len,const EC_KEY * eckey)235 ECDSA_SIG *ECDSA_do_sign(const uint8_t *digest, size_t digest_len,
236 const EC_KEY *eckey) {
237 uint8_t sig[ECDSA_MAX_FIXED_LEN];
238 size_t sig_len;
239 if (!ecdsa_sign_fixed(digest, digest_len, sig, &sig_len, sizeof(sig),
240 eckey)) {
241 return NULL;
242 }
243
244 return ecdsa_sig_from_fixed(eckey, sig, sig_len);
245 }
246
ECDSA_SIG_parse(CBS * cbs)247 ECDSA_SIG *ECDSA_SIG_parse(CBS *cbs) {
248 ECDSA_SIG *ret = ECDSA_SIG_new();
249 if (ret == NULL) {
250 return NULL;
251 }
252 CBS child;
253 if (!CBS_get_asn1(cbs, &child, CBS_ASN1_SEQUENCE) ||
254 !BN_parse_asn1_unsigned(&child, ret->r) ||
255 !BN_parse_asn1_unsigned(&child, ret->s) || CBS_len(&child) != 0) {
256 OPENSSL_PUT_ERROR(ECDSA, ECDSA_R_BAD_SIGNATURE);
257 ECDSA_SIG_free(ret);
258 return NULL;
259 }
260 return ret;
261 }
262
ECDSA_SIG_from_bytes(const uint8_t * in,size_t in_len)263 ECDSA_SIG *ECDSA_SIG_from_bytes(const uint8_t *in, size_t in_len) {
264 CBS cbs;
265 CBS_init(&cbs, in, in_len);
266 ECDSA_SIG *ret = ECDSA_SIG_parse(&cbs);
267 if (ret == NULL || CBS_len(&cbs) != 0) {
268 OPENSSL_PUT_ERROR(ECDSA, ECDSA_R_BAD_SIGNATURE);
269 ECDSA_SIG_free(ret);
270 return NULL;
271 }
272 return ret;
273 }
274
ECDSA_SIG_marshal(CBB * cbb,const ECDSA_SIG * sig)275 int ECDSA_SIG_marshal(CBB *cbb, const ECDSA_SIG *sig) {
276 CBB child;
277 if (!CBB_add_asn1(cbb, &child, CBS_ASN1_SEQUENCE) ||
278 !BN_marshal_asn1(&child, sig->r) || !BN_marshal_asn1(&child, sig->s) ||
279 !CBB_flush(cbb)) {
280 OPENSSL_PUT_ERROR(ECDSA, ECDSA_R_ENCODE_ERROR);
281 return 0;
282 }
283 return 1;
284 }
285
ECDSA_SIG_to_bytes(uint8_t ** out_bytes,size_t * out_len,const ECDSA_SIG * sig)286 int ECDSA_SIG_to_bytes(uint8_t **out_bytes, size_t *out_len,
287 const ECDSA_SIG *sig) {
288 CBB cbb;
289 CBB_zero(&cbb);
290 if (!CBB_init(&cbb, 0) || !ECDSA_SIG_marshal(&cbb, sig) ||
291 !CBB_finish(&cbb, out_bytes, out_len)) {
292 OPENSSL_PUT_ERROR(ECDSA, ECDSA_R_ENCODE_ERROR);
293 CBB_cleanup(&cbb);
294 return 0;
295 }
296 return 1;
297 }
298
299 // der_len_len returns the number of bytes needed to represent a length of |len|
300 // in DER.
der_len_len(size_t len)301 static size_t der_len_len(size_t len) {
302 if (len < 0x80) {
303 return 1;
304 }
305 size_t ret = 1;
306 while (len > 0) {
307 ret++;
308 len >>= 8;
309 }
310 return ret;
311 }
312
ECDSA_SIG_max_len(size_t order_len)313 size_t ECDSA_SIG_max_len(size_t order_len) {
314 // Compute the maximum length of an |order_len| byte integer. Defensively
315 // assume that the leading 0x00 is included.
316 size_t integer_len = 1 /* tag */ + der_len_len(order_len + 1) + 1 + order_len;
317 if (integer_len < order_len) {
318 return 0;
319 }
320 // An ECDSA signature is two INTEGERs.
321 size_t value_len = 2 * integer_len;
322 if (value_len < integer_len) {
323 return 0;
324 }
325 // Add the header.
326 size_t ret = 1 /* tag */ + der_len_len(value_len) + value_len;
327 if (ret < value_len) {
328 return 0;
329 }
330 return ret;
331 }
332
d2i_ECDSA_SIG(ECDSA_SIG ** out,const uint8_t ** inp,long len)333 ECDSA_SIG *d2i_ECDSA_SIG(ECDSA_SIG **out, const uint8_t **inp, long len) {
334 if (len < 0) {
335 return NULL;
336 }
337 CBS cbs;
338 CBS_init(&cbs, *inp, (size_t)len);
339 ECDSA_SIG *ret = ECDSA_SIG_parse(&cbs);
340 if (ret == NULL) {
341 return NULL;
342 }
343 if (out != NULL) {
344 ECDSA_SIG_free(*out);
345 *out = ret;
346 }
347 *inp = CBS_data(&cbs);
348 return ret;
349 }
350
i2d_ECDSA_SIG(const ECDSA_SIG * sig,uint8_t ** outp)351 int i2d_ECDSA_SIG(const ECDSA_SIG *sig, uint8_t **outp) {
352 CBB cbb;
353 if (!CBB_init(&cbb, 0) || !ECDSA_SIG_marshal(&cbb, sig)) {
354 CBB_cleanup(&cbb);
355 return -1;
356 }
357 return CBB_finish_i2d(&cbb, outp);
358 }
359