• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /* ====================================================================
2  * Copyright (c) 1998-2005 The OpenSSL Project.  All rights reserved.
3  *
4  * Redistribution and use in source and binary forms, with or without
5  * modification, are permitted provided that the following conditions
6  * are met:
7  *
8  * 1. Redistributions of source code must retain the above copyright
9  *    notice, this list of conditions and the following disclaimer.
10  *
11  * 2. Redistributions in binary form must reproduce the above copyright
12  *    notice, this list of conditions and the following disclaimer in
13  *    the documentation and/or other materials provided with the
14  *    distribution.
15  *
16  * 3. All advertising materials mentioning features or use of this
17  *    software must display the following acknowledgment:
18  *    "This product includes software developed by the OpenSSL Project
19  *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
20  *
21  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
22  *    endorse or promote products derived from this software without
23  *    prior written permission. For written permission, please contact
24  *    openssl-core@OpenSSL.org.
25  *
26  * 5. Products derived from this software may not be called "OpenSSL"
27  *    nor may "OpenSSL" appear in their names without prior written
28  *    permission of the OpenSSL Project.
29  *
30  * 6. Redistributions of any form whatsoever must retain the following
31  *    acknowledgment:
32  *    "This product includes software developed by the OpenSSL Project
33  *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
34  *
35  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
36  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
37  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
38  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
39  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
40  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
41  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
42  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
43  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
44  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
45  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
46  * OF THE POSSIBILITY OF SUCH DAMAGE.
47  * ====================================================================
48  *
49  * This product includes cryptographic software written by Eric Young
50  * (eay@cryptsoft.com).  This product includes software written by Tim
51  * Hudson (tjh@cryptsoft.com). */
52 
53 #include <openssl/ecdsa.h>
54 
55 #include <limits.h>
56 #include <string.h>
57 
58 #include <openssl/bn.h>
59 #include <openssl/bytestring.h>
60 #include <openssl/err.h>
61 #include <openssl/ec_key.h>
62 #include <openssl/mem.h>
63 
64 #include "../bytestring/internal.h"
65 #include "../fipsmodule/ec/internal.h"
66 #include "../internal.h"
67 
68 
ECDSA_sign(int type,const uint8_t * digest,size_t digest_len,uint8_t * sig,unsigned int * sig_len,const EC_KEY * eckey)69 int ECDSA_sign(int type, const uint8_t *digest, size_t digest_len, uint8_t *sig,
70                unsigned int *sig_len, const EC_KEY *eckey) {
71   if (eckey->ecdsa_meth && eckey->ecdsa_meth->sign) {
72     return eckey->ecdsa_meth->sign(digest, digest_len, sig, sig_len,
73                                    (EC_KEY*) eckey /* cast away const */);
74   }
75 
76   return ECDSA_sign_ex(type, digest, digest_len, sig, sig_len, NULL, NULL,
77                        eckey);
78 }
79 
ECDSA_sign_ex(int type,const uint8_t * digest,size_t digest_len,uint8_t * sig,unsigned int * sig_len,const BIGNUM * kinv,const BIGNUM * r,const EC_KEY * eckey)80 int ECDSA_sign_ex(int type, const uint8_t *digest, size_t digest_len,
81                   uint8_t *sig, unsigned int *sig_len, const BIGNUM *kinv,
82                   const BIGNUM *r, const EC_KEY *eckey) {
83   int ret = 0;
84   ECDSA_SIG *s = NULL;
85 
86   if (eckey->ecdsa_meth && eckey->ecdsa_meth->sign) {
87     OPENSSL_PUT_ERROR(ECDSA, ECDSA_R_NOT_IMPLEMENTED);
88     *sig_len = 0;
89     goto err;
90   }
91 
92   s = ECDSA_do_sign_ex(digest, digest_len, kinv, r, eckey);
93   if (s == NULL) {
94     *sig_len = 0;
95     goto err;
96   }
97 
98   CBB cbb;
99   CBB_zero(&cbb);
100   size_t len;
101   if (!CBB_init_fixed(&cbb, sig, ECDSA_size(eckey)) ||
102       !ECDSA_SIG_marshal(&cbb, s) ||
103       !CBB_finish(&cbb, NULL, &len)) {
104     OPENSSL_PUT_ERROR(ECDSA, ECDSA_R_ENCODE_ERROR);
105     CBB_cleanup(&cbb);
106     *sig_len = 0;
107     goto err;
108   }
109   *sig_len = (unsigned)len;
110   ret = 1;
111 
112 err:
113   ECDSA_SIG_free(s);
114   return ret;
115 }
116 
ECDSA_verify(int type,const uint8_t * digest,size_t digest_len,const uint8_t * sig,size_t sig_len,const EC_KEY * eckey)117 int ECDSA_verify(int type, const uint8_t *digest, size_t digest_len,
118                  const uint8_t *sig, size_t sig_len, const EC_KEY *eckey) {
119   ECDSA_SIG *s;
120   int ret = 0;
121   uint8_t *der = NULL;
122 
123   /* Decode the ECDSA signature. */
124   s = ECDSA_SIG_from_bytes(sig, sig_len);
125   if (s == NULL) {
126     goto err;
127   }
128 
129   /* Defend against potential laxness in the DER parser. */
130   size_t der_len;
131   if (!ECDSA_SIG_to_bytes(&der, &der_len, s) ||
132       der_len != sig_len || OPENSSL_memcmp(sig, der, sig_len) != 0) {
133     /* This should never happen. crypto/bytestring is strictly DER. */
134     OPENSSL_PUT_ERROR(ECDSA, ERR_R_INTERNAL_ERROR);
135     goto err;
136   }
137 
138   ret = ECDSA_do_verify(digest, digest_len, s, eckey);
139 
140 err:
141   OPENSSL_free(der);
142   ECDSA_SIG_free(s);
143   return ret;
144 }
145 
146 
ECDSA_size(const EC_KEY * key)147 size_t ECDSA_size(const EC_KEY *key) {
148   if (key == NULL) {
149     return 0;
150   }
151 
152   size_t group_order_size;
153   if (key->ecdsa_meth && key->ecdsa_meth->group_order_size) {
154     group_order_size = key->ecdsa_meth->group_order_size(key);
155   } else {
156     const EC_GROUP *group = EC_KEY_get0_group(key);
157     if (group == NULL) {
158       return 0;
159     }
160 
161     group_order_size = BN_num_bytes(EC_GROUP_get0_order(group));
162   }
163 
164   return ECDSA_SIG_max_len(group_order_size);
165 }
166 
ECDSA_SIG_parse(CBS * cbs)167 ECDSA_SIG *ECDSA_SIG_parse(CBS *cbs) {
168   ECDSA_SIG *ret = ECDSA_SIG_new();
169   if (ret == NULL) {
170     return NULL;
171   }
172   CBS child;
173   if (!CBS_get_asn1(cbs, &child, CBS_ASN1_SEQUENCE) ||
174       !BN_parse_asn1_unsigned(&child, ret->r) ||
175       !BN_parse_asn1_unsigned(&child, ret->s) ||
176       CBS_len(&child) != 0) {
177     OPENSSL_PUT_ERROR(ECDSA, ECDSA_R_BAD_SIGNATURE);
178     ECDSA_SIG_free(ret);
179     return NULL;
180   }
181   return ret;
182 }
183 
ECDSA_SIG_from_bytes(const uint8_t * in,size_t in_len)184 ECDSA_SIG *ECDSA_SIG_from_bytes(const uint8_t *in, size_t in_len) {
185   CBS cbs;
186   CBS_init(&cbs, in, in_len);
187   ECDSA_SIG *ret = ECDSA_SIG_parse(&cbs);
188   if (ret == NULL || CBS_len(&cbs) != 0) {
189     OPENSSL_PUT_ERROR(ECDSA, ECDSA_R_BAD_SIGNATURE);
190     ECDSA_SIG_free(ret);
191     return NULL;
192   }
193   return ret;
194 }
195 
ECDSA_SIG_marshal(CBB * cbb,const ECDSA_SIG * sig)196 int ECDSA_SIG_marshal(CBB *cbb, const ECDSA_SIG *sig) {
197   CBB child;
198   if (!CBB_add_asn1(cbb, &child, CBS_ASN1_SEQUENCE) ||
199       !BN_marshal_asn1(&child, sig->r) ||
200       !BN_marshal_asn1(&child, sig->s) ||
201       !CBB_flush(cbb)) {
202     OPENSSL_PUT_ERROR(ECDSA, ECDSA_R_ENCODE_ERROR);
203     return 0;
204   }
205   return 1;
206 }
207 
ECDSA_SIG_to_bytes(uint8_t ** out_bytes,size_t * out_len,const ECDSA_SIG * sig)208 int ECDSA_SIG_to_bytes(uint8_t **out_bytes, size_t *out_len,
209                        const ECDSA_SIG *sig) {
210   CBB cbb;
211   CBB_zero(&cbb);
212   if (!CBB_init(&cbb, 0) ||
213       !ECDSA_SIG_marshal(&cbb, sig) ||
214       !CBB_finish(&cbb, out_bytes, out_len)) {
215     OPENSSL_PUT_ERROR(ECDSA, ECDSA_R_ENCODE_ERROR);
216     CBB_cleanup(&cbb);
217     return 0;
218   }
219   return 1;
220 }
221 
222 /* der_len_len returns the number of bytes needed to represent a length of |len|
223  * in DER. */
der_len_len(size_t len)224 static size_t der_len_len(size_t len) {
225   if (len < 0x80) {
226     return 1;
227   }
228   size_t ret = 1;
229   while (len > 0) {
230     ret++;
231     len >>= 8;
232   }
233   return ret;
234 }
235 
ECDSA_SIG_max_len(size_t order_len)236 size_t ECDSA_SIG_max_len(size_t order_len) {
237   /* Compute the maximum length of an |order_len| byte integer. Defensively
238    * assume that the leading 0x00 is included. */
239   size_t integer_len = 1 /* tag */ + der_len_len(order_len + 1) + 1 + order_len;
240   if (integer_len < order_len) {
241     return 0;
242   }
243   /* An ECDSA signature is two INTEGERs. */
244   size_t value_len = 2 * integer_len;
245   if (value_len < integer_len) {
246     return 0;
247   }
248   /* Add the header. */
249   size_t ret = 1 /* tag */ + der_len_len(value_len) + value_len;
250   if (ret < value_len) {
251     return 0;
252   }
253   return ret;
254 }
255 
d2i_ECDSA_SIG(ECDSA_SIG ** out,const uint8_t ** inp,long len)256 ECDSA_SIG *d2i_ECDSA_SIG(ECDSA_SIG **out, const uint8_t **inp, long len) {
257   if (len < 0) {
258     return NULL;
259   }
260   CBS cbs;
261   CBS_init(&cbs, *inp, (size_t)len);
262   ECDSA_SIG *ret = ECDSA_SIG_parse(&cbs);
263   if (ret == NULL) {
264     return NULL;
265   }
266   if (out != NULL) {
267     ECDSA_SIG_free(*out);
268     *out = ret;
269   }
270   *inp = CBS_data(&cbs);
271   return ret;
272 }
273 
i2d_ECDSA_SIG(const ECDSA_SIG * sig,uint8_t ** outp)274 int i2d_ECDSA_SIG(const ECDSA_SIG *sig, uint8_t **outp) {
275   CBB cbb;
276   if (!CBB_init(&cbb, 0) ||
277       !ECDSA_SIG_marshal(&cbb, sig)) {
278     CBB_cleanup(&cbb);
279     return -1;
280   }
281   return CBB_finish_i2d(&cbb, outp);
282 }
283