Details | Last modification | View Log | RSS feed
Rev | Author | Line No. | Line |
---|---|---|---|
8774 | rgimad | 1 | /* |
2 | * Elliptic curve DSA |
||
3 | * |
||
4 | * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved |
||
5 | * SPDX-License-Identifier: GPL-2.0 |
||
6 | * |
||
7 | * This program is free software; you can redistribute it and/or modify |
||
8 | * it under the terms of the GNU General Public License as published by |
||
9 | * the Free Software Foundation; either version 2 of the License, or |
||
10 | * (at your option) any later version. |
||
11 | * |
||
12 | * This program is distributed in the hope that it will be useful, |
||
13 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
||
14 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
||
15 | * GNU General Public License for more details. |
||
16 | * |
||
17 | * You should have received a copy of the GNU General Public License along |
||
18 | * with this program; if not, write to the Free Software Foundation, Inc., |
||
19 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. |
||
20 | * |
||
21 | * This file is part of mbed TLS (https://tls.mbed.org) |
||
22 | */ |
||
23 | |||
24 | /* |
||
25 | * References: |
||
26 | * |
||
27 | * SEC1 http://www.secg.org/index.php?action=secg,docs_secg |
||
28 | */ |
||
29 | |||
30 | #if !defined(MBEDTLS_CONFIG_FILE) |
||
31 | #include "mbedtls/config.h" |
||
32 | #else |
||
33 | #include MBEDTLS_CONFIG_FILE |
||
34 | #endif |
||
35 | |||
36 | #if defined(MBEDTLS_ECDSA_C) |
||
37 | |||
38 | #include "mbedtls/ecdsa.h" |
||
39 | #include "mbedtls/asn1write.h" |
||
40 | |||
41 | #include |
||
42 | |||
43 | #if defined(MBEDTLS_ECDSA_DETERMINISTIC) |
||
44 | #include "mbedtls/hmac_drbg.h" |
||
45 | #endif |
||
46 | |||
47 | #if defined(MBEDTLS_PLATFORM_C) |
||
48 | #include "mbedtls/platform.h" |
||
49 | #else |
||
50 | #include |
||
51 | #define mbedtls_calloc calloc |
||
52 | #define mbedtls_free free |
||
53 | #endif |
||
54 | |||
55 | #include "mbedtls/platform_util.h" |
||
56 | |||
57 | /* Parameter validation macros based on platform_util.h */ |
||
58 | #define ECDSA_VALIDATE_RET( cond ) \ |
||
59 | MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_ECP_BAD_INPUT_DATA ) |
||
60 | #define ECDSA_VALIDATE( cond ) \ |
||
61 | MBEDTLS_INTERNAL_VALIDATE( cond ) |
||
62 | |||
63 | #if defined(MBEDTLS_ECP_RESTARTABLE) |
||
64 | |||
65 | /* |
||
66 | * Sub-context for ecdsa_verify() |
||
67 | */ |
||
68 | struct mbedtls_ecdsa_restart_ver |
||
69 | { |
||
70 | mbedtls_mpi u1, u2; /* intermediate values */ |
||
71 | enum { /* what to do next? */ |
||
72 | ecdsa_ver_init = 0, /* getting started */ |
||
73 | ecdsa_ver_muladd, /* muladd step */ |
||
74 | } state; |
||
75 | }; |
||
76 | |||
77 | /* |
||
78 | * Init verify restart sub-context |
||
79 | */ |
||
80 | static void ecdsa_restart_ver_init( mbedtls_ecdsa_restart_ver_ctx *ctx ) |
||
81 | { |
||
82 | mbedtls_mpi_init( &ctx->u1 ); |
||
83 | mbedtls_mpi_init( &ctx->u2 ); |
||
84 | ctx->state = ecdsa_ver_init; |
||
85 | } |
||
86 | |||
87 | /* |
||
88 | * Free the components of a verify restart sub-context |
||
89 | */ |
||
90 | static void ecdsa_restart_ver_free( mbedtls_ecdsa_restart_ver_ctx *ctx ) |
||
91 | { |
||
92 | if( ctx == NULL ) |
||
93 | return; |
||
94 | |||
95 | mbedtls_mpi_free( &ctx->u1 ); |
||
96 | mbedtls_mpi_free( &ctx->u2 ); |
||
97 | |||
98 | ecdsa_restart_ver_init( ctx ); |
||
99 | } |
||
100 | |||
101 | /* |
||
102 | * Sub-context for ecdsa_sign() |
||
103 | */ |
||
104 | struct mbedtls_ecdsa_restart_sig |
||
105 | { |
||
106 | int sign_tries; |
||
107 | int key_tries; |
||
108 | mbedtls_mpi k; /* per-signature random */ |
||
109 | mbedtls_mpi r; /* r value */ |
||
110 | enum { /* what to do next? */ |
||
111 | ecdsa_sig_init = 0, /* getting started */ |
||
112 | ecdsa_sig_mul, /* doing ecp_mul() */ |
||
113 | ecdsa_sig_modn, /* mod N computations */ |
||
114 | } state; |
||
115 | }; |
||
116 | |||
117 | /* |
||
118 | * Init verify sign sub-context |
||
119 | */ |
||
120 | static void ecdsa_restart_sig_init( mbedtls_ecdsa_restart_sig_ctx *ctx ) |
||
121 | { |
||
122 | ctx->sign_tries = 0; |
||
123 | ctx->key_tries = 0; |
||
124 | mbedtls_mpi_init( &ctx->k ); |
||
125 | mbedtls_mpi_init( &ctx->r ); |
||
126 | ctx->state = ecdsa_sig_init; |
||
127 | } |
||
128 | |||
129 | /* |
||
130 | * Free the components of a sign restart sub-context |
||
131 | */ |
||
132 | static void ecdsa_restart_sig_free( mbedtls_ecdsa_restart_sig_ctx *ctx ) |
||
133 | { |
||
134 | if( ctx == NULL ) |
||
135 | return; |
||
136 | |||
137 | mbedtls_mpi_free( &ctx->k ); |
||
138 | mbedtls_mpi_free( &ctx->r ); |
||
139 | } |
||
140 | |||
141 | #if defined(MBEDTLS_ECDSA_DETERMINISTIC) |
||
142 | /* |
||
143 | * Sub-context for ecdsa_sign_det() |
||
144 | */ |
||
145 | struct mbedtls_ecdsa_restart_det |
||
146 | { |
||
147 | mbedtls_hmac_drbg_context rng_ctx; /* DRBG state */ |
||
148 | enum { /* what to do next? */ |
||
149 | ecdsa_det_init = 0, /* getting started */ |
||
150 | ecdsa_det_sign, /* make signature */ |
||
151 | } state; |
||
152 | }; |
||
153 | |||
154 | /* |
||
155 | * Init verify sign_det sub-context |
||
156 | */ |
||
157 | static void ecdsa_restart_det_init( mbedtls_ecdsa_restart_det_ctx *ctx ) |
||
158 | { |
||
159 | mbedtls_hmac_drbg_init( &ctx->rng_ctx ); |
||
160 | ctx->state = ecdsa_det_init; |
||
161 | } |
||
162 | |||
163 | /* |
||
164 | * Free the components of a sign_det restart sub-context |
||
165 | */ |
||
166 | static void ecdsa_restart_det_free( mbedtls_ecdsa_restart_det_ctx *ctx ) |
||
167 | { |
||
168 | if( ctx == NULL ) |
||
169 | return; |
||
170 | |||
171 | mbedtls_hmac_drbg_free( &ctx->rng_ctx ); |
||
172 | |||
173 | ecdsa_restart_det_init( ctx ); |
||
174 | } |
||
175 | #endif /* MBEDTLS_ECDSA_DETERMINISTIC */ |
||
176 | |||
177 | #define ECDSA_RS_ECP ( rs_ctx == NULL ? NULL : &rs_ctx->ecp ) |
||
178 | |||
179 | /* Utility macro for checking and updating ops budget */ |
||
180 | #define ECDSA_BUDGET( ops ) \ |
||
181 | MBEDTLS_MPI_CHK( mbedtls_ecp_check_budget( grp, ECDSA_RS_ECP, ops ) ); |
||
182 | |||
183 | /* Call this when entering a function that needs its own sub-context */ |
||
184 | #define ECDSA_RS_ENTER( SUB ) do { \ |
||
185 | /* reset ops count for this call if top-level */ \ |
||
186 | if( rs_ctx != NULL && rs_ctx->ecp.depth++ == 0 ) \ |
||
187 | rs_ctx->ecp.ops_done = 0; \ |
||
188 | \ |
||
189 | /* set up our own sub-context if needed */ \ |
||
190 | if( mbedtls_ecp_restart_is_enabled() && \ |
||
191 | rs_ctx != NULL && rs_ctx->SUB == NULL ) \ |
||
192 | { \ |
||
193 | rs_ctx->SUB = mbedtls_calloc( 1, sizeof( *rs_ctx->SUB ) ); \ |
||
194 | if( rs_ctx->SUB == NULL ) \ |
||
195 | return( MBEDTLS_ERR_ECP_ALLOC_FAILED ); \ |
||
196 | \ |
||
197 | ecdsa_restart_## SUB ##_init( rs_ctx->SUB ); \ |
||
198 | } \ |
||
199 | } while( 0 ) |
||
200 | |||
201 | /* Call this when leaving a function that needs its own sub-context */ |
||
202 | #define ECDSA_RS_LEAVE( SUB ) do { \ |
||
203 | /* clear our sub-context when not in progress (done or error) */ \ |
||
204 | if( rs_ctx != NULL && rs_ctx->SUB != NULL && \ |
||
205 | ret != MBEDTLS_ERR_ECP_IN_PROGRESS ) \ |
||
206 | { \ |
||
207 | ecdsa_restart_## SUB ##_free( rs_ctx->SUB ); \ |
||
208 | mbedtls_free( rs_ctx->SUB ); \ |
||
209 | rs_ctx->SUB = NULL; \ |
||
210 | } \ |
||
211 | \ |
||
212 | if( rs_ctx != NULL ) \ |
||
213 | rs_ctx->ecp.depth--; \ |
||
214 | } while( 0 ) |
||
215 | |||
216 | #else /* MBEDTLS_ECP_RESTARTABLE */ |
||
217 | |||
218 | #define ECDSA_RS_ECP NULL |
||
219 | |||
220 | #define ECDSA_BUDGET( ops ) /* no-op; for compatibility */ |
||
221 | |||
222 | #define ECDSA_RS_ENTER( SUB ) (void) rs_ctx |
||
223 | #define ECDSA_RS_LEAVE( SUB ) (void) rs_ctx |
||
224 | |||
225 | #endif /* MBEDTLS_ECP_RESTARTABLE */ |
||
226 | |||
227 | /* |
||
228 | * Derive a suitable integer for group grp from a buffer of length len |
||
229 | * SEC1 4.1.3 step 5 aka SEC1 4.1.4 step 3 |
||
230 | */ |
||
231 | static int derive_mpi( const mbedtls_ecp_group *grp, mbedtls_mpi *x, |
||
232 | const unsigned char *buf, size_t blen ) |
||
233 | { |
||
234 | int ret; |
||
235 | size_t n_size = ( grp->nbits + 7 ) / 8; |
||
236 | size_t use_size = blen > n_size ? n_size : blen; |
||
237 | |||
238 | MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( x, buf, use_size ) ); |
||
239 | if( use_size * 8 > grp->nbits ) |
||
240 | MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( x, use_size * 8 - grp->nbits ) ); |
||
241 | |||
242 | /* While at it, reduce modulo N */ |
||
243 | if( mbedtls_mpi_cmp_mpi( x, &grp->N ) >= 0 ) |
||
244 | MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( x, x, &grp->N ) ); |
||
245 | |||
246 | cleanup: |
||
247 | return( ret ); |
||
248 | } |
||
249 | |||
250 | #if !defined(MBEDTLS_ECDSA_SIGN_ALT) |
||
251 | /* |
||
252 | * Compute ECDSA signature of a hashed message (SEC1 4.1.3) |
||
253 | * Obviously, compared to SEC1 4.1.3, we skip step 4 (hash message) |
||
254 | */ |
||
255 | static int ecdsa_sign_restartable( mbedtls_ecp_group *grp, |
||
256 | mbedtls_mpi *r, mbedtls_mpi *s, |
||
257 | const mbedtls_mpi *d, const unsigned char *buf, size_t blen, |
||
258 | int (*f_rng)(void *, unsigned char *, size_t), void *p_rng, |
||
259 | int (*f_rng_blind)(void *, unsigned char *, size_t), |
||
260 | void *p_rng_blind, |
||
261 | mbedtls_ecdsa_restart_ctx *rs_ctx ) |
||
262 | { |
||
263 | int ret, key_tries, sign_tries; |
||
264 | int *p_sign_tries = &sign_tries, *p_key_tries = &key_tries; |
||
265 | mbedtls_ecp_point R; |
||
266 | mbedtls_mpi k, e, t; |
||
267 | mbedtls_mpi *pk = &k, *pr = r; |
||
268 | |||
269 | /* Fail cleanly on curves such as Curve25519 that can't be used for ECDSA */ |
||
270 | if( grp->N.p == NULL ) |
||
271 | return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA ); |
||
272 | |||
273 | /* Make sure d is in range 1..n-1 */ |
||
274 | if( mbedtls_mpi_cmp_int( d, 1 ) < 0 || mbedtls_mpi_cmp_mpi( d, &grp->N ) >= 0 ) |
||
275 | return( MBEDTLS_ERR_ECP_INVALID_KEY ); |
||
276 | |||
277 | mbedtls_ecp_point_init( &R ); |
||
278 | mbedtls_mpi_init( &k ); mbedtls_mpi_init( &e ); mbedtls_mpi_init( &t ); |
||
279 | |||
280 | ECDSA_RS_ENTER( sig ); |
||
281 | |||
282 | #if defined(MBEDTLS_ECP_RESTARTABLE) |
||
283 | if( rs_ctx != NULL && rs_ctx->sig != NULL ) |
||
284 | { |
||
285 | /* redirect to our context */ |
||
286 | p_sign_tries = &rs_ctx->sig->sign_tries; |
||
287 | p_key_tries = &rs_ctx->sig->key_tries; |
||
288 | pk = &rs_ctx->sig->k; |
||
289 | pr = &rs_ctx->sig->r; |
||
290 | |||
291 | /* jump to current step */ |
||
292 | if( rs_ctx->sig->state == ecdsa_sig_mul ) |
||
293 | goto mul; |
||
294 | if( rs_ctx->sig->state == ecdsa_sig_modn ) |
||
295 | goto modn; |
||
296 | } |
||
297 | #endif /* MBEDTLS_ECP_RESTARTABLE */ |
||
298 | |||
299 | *p_sign_tries = 0; |
||
300 | do |
||
301 | { |
||
302 | if( (*p_sign_tries)++ > 10 ) |
||
303 | { |
||
304 | ret = MBEDTLS_ERR_ECP_RANDOM_FAILED; |
||
305 | goto cleanup; |
||
306 | } |
||
307 | |||
308 | /* |
||
309 | * Steps 1-3: generate a suitable ephemeral keypair |
||
310 | * and set r = xR mod n |
||
311 | */ |
||
312 | *p_key_tries = 0; |
||
313 | do |
||
314 | { |
||
315 | if( (*p_key_tries)++ > 10 ) |
||
316 | { |
||
317 | ret = MBEDTLS_ERR_ECP_RANDOM_FAILED; |
||
318 | goto cleanup; |
||
319 | } |
||
320 | |||
321 | MBEDTLS_MPI_CHK( mbedtls_ecp_gen_privkey( grp, pk, f_rng, p_rng ) ); |
||
322 | |||
323 | #if defined(MBEDTLS_ECP_RESTARTABLE) |
||
324 | if( rs_ctx != NULL && rs_ctx->sig != NULL ) |
||
325 | rs_ctx->sig->state = ecdsa_sig_mul; |
||
326 | |||
327 | mul: |
||
328 | #endif |
||
329 | MBEDTLS_MPI_CHK( mbedtls_ecp_mul_restartable( grp, &R, pk, &grp->G, |
||
330 | f_rng_blind, |
||
331 | p_rng_blind, |
||
332 | ECDSA_RS_ECP ) ); |
||
333 | MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( pr, &R.X, &grp->N ) ); |
||
334 | } |
||
335 | while( mbedtls_mpi_cmp_int( pr, 0 ) == 0 ); |
||
336 | |||
337 | #if defined(MBEDTLS_ECP_RESTARTABLE) |
||
338 | if( rs_ctx != NULL && rs_ctx->sig != NULL ) |
||
339 | rs_ctx->sig->state = ecdsa_sig_modn; |
||
340 | |||
341 | modn: |
||
342 | #endif |
||
343 | /* |
||
344 | * Accounting for everything up to the end of the loop |
||
345 | * (step 6, but checking now avoids saving e and t) |
||
346 | */ |
||
347 | ECDSA_BUDGET( MBEDTLS_ECP_OPS_INV + 4 ); |
||
348 | |||
349 | /* |
||
350 | * Step 5: derive MPI from hashed message |
||
351 | */ |
||
352 | MBEDTLS_MPI_CHK( derive_mpi( grp, &e, buf, blen ) ); |
||
353 | |||
354 | /* |
||
355 | * Generate a random value to blind inv_mod in next step, |
||
356 | * avoiding a potential timing leak. |
||
357 | */ |
||
358 | MBEDTLS_MPI_CHK( mbedtls_ecp_gen_privkey( grp, &t, f_rng_blind, |
||
359 | p_rng_blind ) ); |
||
360 | |||
361 | /* |
||
362 | * Step 6: compute s = (e + r * d) / k = t (e + rd) / (kt) mod n |
||
363 | */ |
||
364 | MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( s, pr, d ) ); |
||
365 | MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &e, &e, s ) ); |
||
366 | MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &e, &e, &t ) ); |
||
367 | MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( pk, pk, &t ) ); |
||
368 | MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( pk, pk, &grp->N ) ); |
||
369 | MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( s, pk, &grp->N ) ); |
||
370 | MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( s, s, &e ) ); |
||
371 | MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( s, s, &grp->N ) ); |
||
372 | } |
||
373 | while( mbedtls_mpi_cmp_int( s, 0 ) == 0 ); |
||
374 | |||
375 | #if defined(MBEDTLS_ECP_RESTARTABLE) |
||
376 | if( rs_ctx != NULL && rs_ctx->sig != NULL ) |
||
377 | mbedtls_mpi_copy( r, pr ); |
||
378 | #endif |
||
379 | |||
380 | cleanup: |
||
381 | mbedtls_ecp_point_free( &R ); |
||
382 | mbedtls_mpi_free( &k ); mbedtls_mpi_free( &e ); mbedtls_mpi_free( &t ); |
||
383 | |||
384 | ECDSA_RS_LEAVE( sig ); |
||
385 | |||
386 | return( ret ); |
||
387 | } |
||
388 | |||
389 | /* |
||
390 | * Compute ECDSA signature of a hashed message |
||
391 | */ |
||
392 | int mbedtls_ecdsa_sign( mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi *s, |
||
393 | const mbedtls_mpi *d, const unsigned char *buf, size_t blen, |
||
394 | int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) |
||
395 | { |
||
396 | ECDSA_VALIDATE_RET( grp != NULL ); |
||
397 | ECDSA_VALIDATE_RET( r != NULL ); |
||
398 | ECDSA_VALIDATE_RET( s != NULL ); |
||
399 | ECDSA_VALIDATE_RET( d != NULL ); |
||
400 | ECDSA_VALIDATE_RET( f_rng != NULL ); |
||
401 | ECDSA_VALIDATE_RET( buf != NULL || blen == 0 ); |
||
402 | |||
403 | /* Use the same RNG for both blinding and ephemeral key generation */ |
||
404 | return( ecdsa_sign_restartable( grp, r, s, d, buf, blen, |
||
405 | f_rng, p_rng, f_rng, p_rng, NULL ) ); |
||
406 | } |
||
407 | #endif /* !MBEDTLS_ECDSA_SIGN_ALT */ |
||
408 | |||
409 | #if defined(MBEDTLS_ECDSA_DETERMINISTIC) |
||
410 | /* |
||
411 | * Deterministic signature wrapper |
||
412 | */ |
||
413 | static int ecdsa_sign_det_restartable( mbedtls_ecp_group *grp, |
||
414 | mbedtls_mpi *r, mbedtls_mpi *s, |
||
415 | const mbedtls_mpi *d, const unsigned char *buf, size_t blen, |
||
416 | mbedtls_md_type_t md_alg, |
||
417 | int (*f_rng_blind)(void *, unsigned char *, size_t), |
||
418 | void *p_rng_blind, |
||
419 | mbedtls_ecdsa_restart_ctx *rs_ctx ) |
||
420 | { |
||
421 | int ret; |
||
422 | mbedtls_hmac_drbg_context rng_ctx; |
||
423 | mbedtls_hmac_drbg_context *p_rng = &rng_ctx; |
||
424 | unsigned char data[2 * MBEDTLS_ECP_MAX_BYTES]; |
||
425 | size_t grp_len = ( grp->nbits + 7 ) / 8; |
||
426 | const mbedtls_md_info_t *md_info; |
||
427 | mbedtls_mpi h; |
||
428 | |||
429 | if( ( md_info = mbedtls_md_info_from_type( md_alg ) ) == NULL ) |
||
430 | return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA ); |
||
431 | |||
432 | mbedtls_mpi_init( &h ); |
||
433 | mbedtls_hmac_drbg_init( &rng_ctx ); |
||
434 | |||
435 | ECDSA_RS_ENTER( det ); |
||
436 | |||
437 | #if defined(MBEDTLS_ECP_RESTARTABLE) |
||
438 | if( rs_ctx != NULL && rs_ctx->det != NULL ) |
||
439 | { |
||
440 | /* redirect to our context */ |
||
441 | p_rng = &rs_ctx->det->rng_ctx; |
||
442 | |||
443 | /* jump to current step */ |
||
444 | if( rs_ctx->det->state == ecdsa_det_sign ) |
||
445 | goto sign; |
||
446 | } |
||
447 | #endif /* MBEDTLS_ECP_RESTARTABLE */ |
||
448 | |||
449 | /* Use private key and message hash (reduced) to initialize HMAC_DRBG */ |
||
450 | MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( d, data, grp_len ) ); |
||
451 | MBEDTLS_MPI_CHK( derive_mpi( grp, &h, buf, blen ) ); |
||
452 | MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &h, data + grp_len, grp_len ) ); |
||
453 | mbedtls_hmac_drbg_seed_buf( p_rng, md_info, data, 2 * grp_len ); |
||
454 | |||
455 | #if defined(MBEDTLS_ECP_RESTARTABLE) |
||
456 | if( rs_ctx != NULL && rs_ctx->det != NULL ) |
||
457 | rs_ctx->det->state = ecdsa_det_sign; |
||
458 | |||
459 | sign: |
||
460 | #endif |
||
461 | #if defined(MBEDTLS_ECDSA_SIGN_ALT) |
||
462 | ret = mbedtls_ecdsa_sign( grp, r, s, d, buf, blen, |
||
463 | mbedtls_hmac_drbg_random, p_rng ); |
||
464 | #else |
||
465 | if( f_rng_blind != NULL ) |
||
466 | ret = ecdsa_sign_restartable( grp, r, s, d, buf, blen, |
||
467 | mbedtls_hmac_drbg_random, p_rng, |
||
468 | f_rng_blind, p_rng_blind, rs_ctx ); |
||
469 | else |
||
470 | { |
||
471 | mbedtls_hmac_drbg_context *p_rng_blind_det; |
||
472 | |||
473 | #if !defined(MBEDTLS_ECP_RESTARTABLE) |
||
474 | /* |
||
475 | * To avoid reusing rng_ctx and risking incorrect behavior we seed a |
||
476 | * second HMAC-DRBG with the same seed. We also apply a label to avoid |
||
477 | * reusing the bits of the ephemeral key for blinding and eliminate the |
||
478 | * risk that they leak this way. |
||
479 | */ |
||
480 | const char* blind_label = "BLINDING CONTEXT"; |
||
481 | mbedtls_hmac_drbg_context rng_ctx_blind; |
||
482 | |||
483 | mbedtls_hmac_drbg_init( &rng_ctx_blind ); |
||
484 | p_rng_blind_det = &rng_ctx_blind; |
||
485 | |||
486 | mbedtls_hmac_drbg_seed_buf( p_rng_blind_det, md_info, |
||
487 | data, 2 * grp_len ); |
||
488 | ret = mbedtls_hmac_drbg_update_ret( p_rng_blind_det, |
||
489 | (const unsigned char*) blind_label, |
||
490 | strlen( blind_label ) ); |
||
491 | if( ret != 0 ) |
||
492 | { |
||
493 | mbedtls_hmac_drbg_free( &rng_ctx_blind ); |
||
494 | goto cleanup; |
||
495 | } |
||
496 | #else |
||
497 | /* |
||
498 | * In the case of restartable computations we would either need to store |
||
499 | * the second RNG in the restart context too or set it up at every |
||
500 | * restart. The first option would penalize the correct application of |
||
501 | * the function and the second would defeat the purpose of the |
||
502 | * restartable feature. |
||
503 | * |
||
504 | * Therefore in this case we reuse the original RNG. This comes with the |
||
505 | * price that the resulting signature might not be a valid deterministic |
||
506 | * ECDSA signature with a very low probability (same magnitude as |
||
507 | * successfully guessing the private key). However even then it is still |
||
508 | * a valid ECDSA signature. |
||
509 | */ |
||
510 | p_rng_blind_det = p_rng; |
||
511 | #endif /* MBEDTLS_ECP_RESTARTABLE */ |
||
512 | |||
513 | /* |
||
514 | * Since the output of the RNGs is always the same for the same key and |
||
515 | * message, this limits the efficiency of blinding and leaks information |
||
516 | * through side channels. After mbedtls_ecdsa_sign_det() is removed NULL |
||
517 | * won't be a valid value for f_rng_blind anymore. Therefore it should |
||
518 | * be checked by the caller and this branch and check can be removed. |
||
519 | */ |
||
520 | ret = ecdsa_sign_restartable( grp, r, s, d, buf, blen, |
||
521 | mbedtls_hmac_drbg_random, p_rng, |
||
522 | mbedtls_hmac_drbg_random, p_rng_blind_det, |
||
523 | rs_ctx ); |
||
524 | |||
525 | #if !defined(MBEDTLS_ECP_RESTARTABLE) |
||
526 | mbedtls_hmac_drbg_free( &rng_ctx_blind ); |
||
527 | #endif |
||
528 | } |
||
529 | #endif /* MBEDTLS_ECDSA_SIGN_ALT */ |
||
530 | |||
531 | cleanup: |
||
532 | mbedtls_hmac_drbg_free( &rng_ctx ); |
||
533 | mbedtls_mpi_free( &h ); |
||
534 | |||
535 | ECDSA_RS_LEAVE( det ); |
||
536 | |||
537 | return( ret ); |
||
538 | } |
||
539 | |||
540 | /* |
||
541 | * Deterministic signature wrappers |
||
542 | */ |
||
543 | int mbedtls_ecdsa_sign_det( mbedtls_ecp_group *grp, mbedtls_mpi *r, |
||
544 | mbedtls_mpi *s, const mbedtls_mpi *d, |
||
545 | const unsigned char *buf, size_t blen, |
||
546 | mbedtls_md_type_t md_alg ) |
||
547 | { |
||
548 | ECDSA_VALIDATE_RET( grp != NULL ); |
||
549 | ECDSA_VALIDATE_RET( r != NULL ); |
||
550 | ECDSA_VALIDATE_RET( s != NULL ); |
||
551 | ECDSA_VALIDATE_RET( d != NULL ); |
||
552 | ECDSA_VALIDATE_RET( buf != NULL || blen == 0 ); |
||
553 | |||
554 | return( ecdsa_sign_det_restartable( grp, r, s, d, buf, blen, md_alg, |
||
555 | NULL, NULL, NULL ) ); |
||
556 | } |
||
557 | |||
558 | int mbedtls_ecdsa_sign_det_ext( mbedtls_ecp_group *grp, mbedtls_mpi *r, |
||
559 | mbedtls_mpi *s, const mbedtls_mpi *d, |
||
560 | const unsigned char *buf, size_t blen, |
||
561 | mbedtls_md_type_t md_alg, |
||
562 | int (*f_rng_blind)(void *, unsigned char *, |
||
563 | size_t), |
||
564 | void *p_rng_blind ) |
||
565 | { |
||
566 | ECDSA_VALIDATE_RET( grp != NULL ); |
||
567 | ECDSA_VALIDATE_RET( r != NULL ); |
||
568 | ECDSA_VALIDATE_RET( s != NULL ); |
||
569 | ECDSA_VALIDATE_RET( d != NULL ); |
||
570 | ECDSA_VALIDATE_RET( buf != NULL || blen == 0 ); |
||
571 | ECDSA_VALIDATE_RET( f_rng_blind != NULL ); |
||
572 | |||
573 | return( ecdsa_sign_det_restartable( grp, r, s, d, buf, blen, md_alg, |
||
574 | f_rng_blind, p_rng_blind, NULL ) ); |
||
575 | } |
||
576 | #endif /* MBEDTLS_ECDSA_DETERMINISTIC */ |
||
577 | |||
578 | #if !defined(MBEDTLS_ECDSA_VERIFY_ALT) |
||
579 | /* |
||
580 | * Verify ECDSA signature of hashed message (SEC1 4.1.4) |
||
581 | * Obviously, compared to SEC1 4.1.3, we skip step 2 (hash message) |
||
582 | */ |
||
583 | static int ecdsa_verify_restartable( mbedtls_ecp_group *grp, |
||
584 | const unsigned char *buf, size_t blen, |
||
585 | const mbedtls_ecp_point *Q, |
||
586 | const mbedtls_mpi *r, const mbedtls_mpi *s, |
||
587 | mbedtls_ecdsa_restart_ctx *rs_ctx ) |
||
588 | { |
||
589 | int ret; |
||
590 | mbedtls_mpi e, s_inv, u1, u2; |
||
591 | mbedtls_ecp_point R; |
||
592 | mbedtls_mpi *pu1 = &u1, *pu2 = &u2; |
||
593 | |||
594 | mbedtls_ecp_point_init( &R ); |
||
595 | mbedtls_mpi_init( &e ); mbedtls_mpi_init( &s_inv ); |
||
596 | mbedtls_mpi_init( &u1 ); mbedtls_mpi_init( &u2 ); |
||
597 | |||
598 | /* Fail cleanly on curves such as Curve25519 that can't be used for ECDSA */ |
||
599 | if( grp->N.p == NULL ) |
||
600 | return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA ); |
||
601 | |||
602 | ECDSA_RS_ENTER( ver ); |
||
603 | |||
604 | #if defined(MBEDTLS_ECP_RESTARTABLE) |
||
605 | if( rs_ctx != NULL && rs_ctx->ver != NULL ) |
||
606 | { |
||
607 | /* redirect to our context */ |
||
608 | pu1 = &rs_ctx->ver->u1; |
||
609 | pu2 = &rs_ctx->ver->u2; |
||
610 | |||
611 | /* jump to current step */ |
||
612 | if( rs_ctx->ver->state == ecdsa_ver_muladd ) |
||
613 | goto muladd; |
||
614 | } |
||
615 | #endif /* MBEDTLS_ECP_RESTARTABLE */ |
||
616 | |||
617 | /* |
||
618 | * Step 1: make sure r and s are in range 1..n-1 |
||
619 | */ |
||
620 | if( mbedtls_mpi_cmp_int( r, 1 ) < 0 || mbedtls_mpi_cmp_mpi( r, &grp->N ) >= 0 || |
||
621 | mbedtls_mpi_cmp_int( s, 1 ) < 0 || mbedtls_mpi_cmp_mpi( s, &grp->N ) >= 0 ) |
||
622 | { |
||
623 | ret = MBEDTLS_ERR_ECP_VERIFY_FAILED; |
||
624 | goto cleanup; |
||
625 | } |
||
626 | |||
627 | /* |
||
628 | * Step 3: derive MPI from hashed message |
||
629 | */ |
||
630 | MBEDTLS_MPI_CHK( derive_mpi( grp, &e, buf, blen ) ); |
||
631 | |||
632 | /* |
||
633 | * Step 4: u1 = e / s mod n, u2 = r / s mod n |
||
634 | */ |
||
635 | ECDSA_BUDGET( MBEDTLS_ECP_OPS_CHK + MBEDTLS_ECP_OPS_INV + 2 ); |
||
636 | |||
637 | MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &s_inv, s, &grp->N ) ); |
||
638 | |||
639 | MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( pu1, &e, &s_inv ) ); |
||
640 | MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( pu1, pu1, &grp->N ) ); |
||
641 | |||
642 | MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( pu2, r, &s_inv ) ); |
||
643 | MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( pu2, pu2, &grp->N ) ); |
||
644 | |||
645 | #if defined(MBEDTLS_ECP_RESTARTABLE) |
||
646 | if( rs_ctx != NULL && rs_ctx->ver != NULL ) |
||
647 | rs_ctx->ver->state = ecdsa_ver_muladd; |
||
648 | |||
649 | muladd: |
||
650 | #endif |
||
651 | /* |
||
652 | * Step 5: R = u1 G + u2 Q |
||
653 | */ |
||
654 | MBEDTLS_MPI_CHK( mbedtls_ecp_muladd_restartable( grp, |
||
655 | &R, pu1, &grp->G, pu2, Q, ECDSA_RS_ECP ) ); |
||
656 | |||
657 | if( mbedtls_ecp_is_zero( &R ) ) |
||
658 | { |
||
659 | ret = MBEDTLS_ERR_ECP_VERIFY_FAILED; |
||
660 | goto cleanup; |
||
661 | } |
||
662 | |||
663 | /* |
||
664 | * Step 6: convert xR to an integer (no-op) |
||
665 | * Step 7: reduce xR mod n (gives v) |
||
666 | */ |
||
667 | MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &R.X, &R.X, &grp->N ) ); |
||
668 | |||
669 | /* |
||
670 | * Step 8: check if v (that is, R.X) is equal to r |
||
671 | */ |
||
672 | if( mbedtls_mpi_cmp_mpi( &R.X, r ) != 0 ) |
||
673 | { |
||
674 | ret = MBEDTLS_ERR_ECP_VERIFY_FAILED; |
||
675 | goto cleanup; |
||
676 | } |
||
677 | |||
678 | cleanup: |
||
679 | mbedtls_ecp_point_free( &R ); |
||
680 | mbedtls_mpi_free( &e ); mbedtls_mpi_free( &s_inv ); |
||
681 | mbedtls_mpi_free( &u1 ); mbedtls_mpi_free( &u2 ); |
||
682 | |||
683 | ECDSA_RS_LEAVE( ver ); |
||
684 | |||
685 | return( ret ); |
||
686 | } |
||
687 | |||
688 | /* |
||
689 | * Verify ECDSA signature of hashed message |
||
690 | */ |
||
691 | int mbedtls_ecdsa_verify( mbedtls_ecp_group *grp, |
||
692 | const unsigned char *buf, size_t blen, |
||
693 | const mbedtls_ecp_point *Q, |
||
694 | const mbedtls_mpi *r, |
||
695 | const mbedtls_mpi *s) |
||
696 | { |
||
697 | ECDSA_VALIDATE_RET( grp != NULL ); |
||
698 | ECDSA_VALIDATE_RET( Q != NULL ); |
||
699 | ECDSA_VALIDATE_RET( r != NULL ); |
||
700 | ECDSA_VALIDATE_RET( s != NULL ); |
||
701 | ECDSA_VALIDATE_RET( buf != NULL || blen == 0 ); |
||
702 | |||
703 | return( ecdsa_verify_restartable( grp, buf, blen, Q, r, s, NULL ) ); |
||
704 | } |
||
705 | #endif /* !MBEDTLS_ECDSA_VERIFY_ALT */ |
||
706 | |||
707 | /* |
||
708 | * Convert a signature (given by context) to ASN.1 |
||
709 | */ |
||
710 | static int ecdsa_signature_to_asn1( const mbedtls_mpi *r, const mbedtls_mpi *s, |
||
711 | unsigned char *sig, size_t *slen ) |
||
712 | { |
||
713 | int ret; |
||
714 | unsigned char buf[MBEDTLS_ECDSA_MAX_LEN]; |
||
715 | unsigned char *p = buf + sizeof( buf ); |
||
716 | size_t len = 0; |
||
717 | |||
718 | MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_mpi( &p, buf, s ) ); |
||
719 | MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_mpi( &p, buf, r ) ); |
||
720 | |||
721 | MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &p, buf, len ) ); |
||
722 | MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &p, buf, |
||
723 | MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ); |
||
724 | |||
725 | memcpy( sig, p, len ); |
||
726 | *slen = len; |
||
727 | |||
728 | return( 0 ); |
||
729 | } |
||
730 | |||
731 | /* |
||
732 | * Compute and write signature |
||
733 | */ |
||
734 | int mbedtls_ecdsa_write_signature_restartable( mbedtls_ecdsa_context *ctx, |
||
735 | mbedtls_md_type_t md_alg, |
||
736 | const unsigned char *hash, size_t hlen, |
||
737 | unsigned char *sig, size_t *slen, |
||
738 | int (*f_rng)(void *, unsigned char *, size_t), |
||
739 | void *p_rng, |
||
740 | mbedtls_ecdsa_restart_ctx *rs_ctx ) |
||
741 | { |
||
742 | int ret; |
||
743 | mbedtls_mpi r, s; |
||
744 | ECDSA_VALIDATE_RET( ctx != NULL ); |
||
745 | ECDSA_VALIDATE_RET( hash != NULL ); |
||
746 | ECDSA_VALIDATE_RET( sig != NULL ); |
||
747 | ECDSA_VALIDATE_RET( slen != NULL ); |
||
748 | |||
749 | mbedtls_mpi_init( &r ); |
||
750 | mbedtls_mpi_init( &s ); |
||
751 | |||
752 | #if defined(MBEDTLS_ECDSA_DETERMINISTIC) |
||
753 | MBEDTLS_MPI_CHK( ecdsa_sign_det_restartable( &ctx->grp, &r, &s, &ctx->d, |
||
754 | hash, hlen, md_alg, f_rng, |
||
755 | p_rng, rs_ctx ) ); |
||
756 | #else |
||
757 | (void) md_alg; |
||
758 | |||
759 | #if defined(MBEDTLS_ECDSA_SIGN_ALT) |
||
760 | MBEDTLS_MPI_CHK( mbedtls_ecdsa_sign( &ctx->grp, &r, &s, &ctx->d, |
||
761 | hash, hlen, f_rng, p_rng ) ); |
||
762 | #else |
||
763 | /* Use the same RNG for both blinding and ephemeral key generation */ |
||
764 | MBEDTLS_MPI_CHK( ecdsa_sign_restartable( &ctx->grp, &r, &s, &ctx->d, |
||
765 | hash, hlen, f_rng, p_rng, f_rng, |
||
766 | p_rng, rs_ctx ) ); |
||
767 | #endif /* MBEDTLS_ECDSA_SIGN_ALT */ |
||
768 | #endif /* MBEDTLS_ECDSA_DETERMINISTIC */ |
||
769 | |||
770 | MBEDTLS_MPI_CHK( ecdsa_signature_to_asn1( &r, &s, sig, slen ) ); |
||
771 | |||
772 | cleanup: |
||
773 | mbedtls_mpi_free( &r ); |
||
774 | mbedtls_mpi_free( &s ); |
||
775 | |||
776 | return( ret ); |
||
777 | } |
||
778 | |||
779 | /* |
||
780 | * Compute and write signature |
||
781 | */ |
||
782 | int mbedtls_ecdsa_write_signature( mbedtls_ecdsa_context *ctx, |
||
783 | mbedtls_md_type_t md_alg, |
||
784 | const unsigned char *hash, size_t hlen, |
||
785 | unsigned char *sig, size_t *slen, |
||
786 | int (*f_rng)(void *, unsigned char *, size_t), |
||
787 | void *p_rng ) |
||
788 | { |
||
789 | ECDSA_VALIDATE_RET( ctx != NULL ); |
||
790 | ECDSA_VALIDATE_RET( hash != NULL ); |
||
791 | ECDSA_VALIDATE_RET( sig != NULL ); |
||
792 | ECDSA_VALIDATE_RET( slen != NULL ); |
||
793 | return( mbedtls_ecdsa_write_signature_restartable( |
||
794 | ctx, md_alg, hash, hlen, sig, slen, f_rng, p_rng, NULL ) ); |
||
795 | } |
||
796 | |||
797 | #if !defined(MBEDTLS_DEPRECATED_REMOVED) && \ |
||
798 | defined(MBEDTLS_ECDSA_DETERMINISTIC) |
||
799 | int mbedtls_ecdsa_write_signature_det( mbedtls_ecdsa_context *ctx, |
||
800 | const unsigned char *hash, size_t hlen, |
||
801 | unsigned char *sig, size_t *slen, |
||
802 | mbedtls_md_type_t md_alg ) |
||
803 | { |
||
804 | ECDSA_VALIDATE_RET( ctx != NULL ); |
||
805 | ECDSA_VALIDATE_RET( hash != NULL ); |
||
806 | ECDSA_VALIDATE_RET( sig != NULL ); |
||
807 | ECDSA_VALIDATE_RET( slen != NULL ); |
||
808 | return( mbedtls_ecdsa_write_signature( ctx, md_alg, hash, hlen, sig, slen, |
||
809 | NULL, NULL ) ); |
||
810 | } |
||
811 | #endif |
||
812 | |||
813 | /* |
||
814 | * Read and check signature |
||
815 | */ |
||
816 | int mbedtls_ecdsa_read_signature( mbedtls_ecdsa_context *ctx, |
||
817 | const unsigned char *hash, size_t hlen, |
||
818 | const unsigned char *sig, size_t slen ) |
||
819 | { |
||
820 | ECDSA_VALIDATE_RET( ctx != NULL ); |
||
821 | ECDSA_VALIDATE_RET( hash != NULL ); |
||
822 | ECDSA_VALIDATE_RET( sig != NULL ); |
||
823 | return( mbedtls_ecdsa_read_signature_restartable( |
||
824 | ctx, hash, hlen, sig, slen, NULL ) ); |
||
825 | } |
||
826 | |||
827 | /* |
||
828 | * Restartable read and check signature |
||
829 | */ |
||
830 | int mbedtls_ecdsa_read_signature_restartable( mbedtls_ecdsa_context *ctx, |
||
831 | const unsigned char *hash, size_t hlen, |
||
832 | const unsigned char *sig, size_t slen, |
||
833 | mbedtls_ecdsa_restart_ctx *rs_ctx ) |
||
834 | { |
||
835 | int ret; |
||
836 | unsigned char *p = (unsigned char *) sig; |
||
837 | const unsigned char *end = sig + slen; |
||
838 | size_t len; |
||
839 | mbedtls_mpi r, s; |
||
840 | ECDSA_VALIDATE_RET( ctx != NULL ); |
||
841 | ECDSA_VALIDATE_RET( hash != NULL ); |
||
842 | ECDSA_VALIDATE_RET( sig != NULL ); |
||
843 | |||
844 | mbedtls_mpi_init( &r ); |
||
845 | mbedtls_mpi_init( &s ); |
||
846 | |||
847 | if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, |
||
848 | MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 ) |
||
849 | { |
||
850 | ret += MBEDTLS_ERR_ECP_BAD_INPUT_DATA; |
||
851 | goto cleanup; |
||
852 | } |
||
853 | |||
854 | if( p + len != end ) |
||
855 | { |
||
856 | ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA + |
||
857 | MBEDTLS_ERR_ASN1_LENGTH_MISMATCH; |
||
858 | goto cleanup; |
||
859 | } |
||
860 | |||
861 | if( ( ret = mbedtls_asn1_get_mpi( &p, end, &r ) ) != 0 || |
||
862 | ( ret = mbedtls_asn1_get_mpi( &p, end, &s ) ) != 0 ) |
||
863 | { |
||
864 | ret += MBEDTLS_ERR_ECP_BAD_INPUT_DATA; |
||
865 | goto cleanup; |
||
866 | } |
||
867 | #if defined(MBEDTLS_ECDSA_VERIFY_ALT) |
||
868 | if( ( ret = mbedtls_ecdsa_verify( &ctx->grp, hash, hlen, |
||
869 | &ctx->Q, &r, &s ) ) != 0 ) |
||
870 | goto cleanup; |
||
871 | #else |
||
872 | if( ( ret = ecdsa_verify_restartable( &ctx->grp, hash, hlen, |
||
873 | &ctx->Q, &r, &s, rs_ctx ) ) != 0 ) |
||
874 | goto cleanup; |
||
875 | #endif /* MBEDTLS_ECDSA_VERIFY_ALT */ |
||
876 | |||
877 | /* At this point we know that the buffer starts with a valid signature. |
||
878 | * Return 0 if the buffer just contains the signature, and a specific |
||
879 | * error code if the valid signature is followed by more data. */ |
||
880 | if( p != end ) |
||
881 | ret = MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH; |
||
882 | |||
883 | cleanup: |
||
884 | mbedtls_mpi_free( &r ); |
||
885 | mbedtls_mpi_free( &s ); |
||
886 | |||
887 | return( ret ); |
||
888 | } |
||
889 | |||
890 | #if !defined(MBEDTLS_ECDSA_GENKEY_ALT) |
||
891 | /* |
||
892 | * Generate key pair |
||
893 | */ |
||
894 | int mbedtls_ecdsa_genkey( mbedtls_ecdsa_context *ctx, mbedtls_ecp_group_id gid, |
||
895 | int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) |
||
896 | { |
||
897 | int ret = 0; |
||
898 | ECDSA_VALIDATE_RET( ctx != NULL ); |
||
899 | ECDSA_VALIDATE_RET( f_rng != NULL ); |
||
900 | |||
901 | ret = mbedtls_ecp_group_load( &ctx->grp, gid ); |
||
902 | if( ret != 0 ) |
||
903 | return( ret ); |
||
904 | |||
905 | return( mbedtls_ecp_gen_keypair( &ctx->grp, &ctx->d, |
||
906 | &ctx->Q, f_rng, p_rng ) ); |
||
907 | } |
||
908 | #endif /* !MBEDTLS_ECDSA_GENKEY_ALT */ |
||
909 | |||
910 | /* |
||
911 | * Set context from an mbedtls_ecp_keypair |
||
912 | */ |
||
913 | int mbedtls_ecdsa_from_keypair( mbedtls_ecdsa_context *ctx, const mbedtls_ecp_keypair *key ) |
||
914 | { |
||
915 | int ret; |
||
916 | ECDSA_VALIDATE_RET( ctx != NULL ); |
||
917 | ECDSA_VALIDATE_RET( key != NULL ); |
||
918 | |||
919 | if( ( ret = mbedtls_ecp_group_copy( &ctx->grp, &key->grp ) ) != 0 || |
||
920 | ( ret = mbedtls_mpi_copy( &ctx->d, &key->d ) ) != 0 || |
||
921 | ( ret = mbedtls_ecp_copy( &ctx->Q, &key->Q ) ) != 0 ) |
||
922 | { |
||
923 | mbedtls_ecdsa_free( ctx ); |
||
924 | } |
||
925 | |||
926 | return( ret ); |
||
927 | } |
||
928 | |||
929 | /* |
||
930 | * Initialize context |
||
931 | */ |
||
932 | void mbedtls_ecdsa_init( mbedtls_ecdsa_context *ctx ) |
||
933 | { |
||
934 | ECDSA_VALIDATE( ctx != NULL ); |
||
935 | |||
936 | mbedtls_ecp_keypair_init( ctx ); |
||
937 | } |
||
938 | |||
939 | /* |
||
940 | * Free context |
||
941 | */ |
||
942 | void mbedtls_ecdsa_free( mbedtls_ecdsa_context *ctx ) |
||
943 | { |
||
944 | if( ctx == NULL ) |
||
945 | return; |
||
946 | |||
947 | mbedtls_ecp_keypair_free( ctx ); |
||
948 | } |
||
949 | |||
950 | #if defined(MBEDTLS_ECP_RESTARTABLE) |
||
951 | /* |
||
952 | * Initialize a restart context |
||
953 | */ |
||
954 | void mbedtls_ecdsa_restart_init( mbedtls_ecdsa_restart_ctx *ctx ) |
||
955 | { |
||
956 | ECDSA_VALIDATE( ctx != NULL ); |
||
957 | |||
958 | mbedtls_ecp_restart_init( &ctx->ecp ); |
||
959 | |||
960 | ctx->ver = NULL; |
||
961 | ctx->sig = NULL; |
||
962 | #if defined(MBEDTLS_ECDSA_DETERMINISTIC) |
||
963 | ctx->det = NULL; |
||
964 | #endif |
||
965 | } |
||
966 | |||
967 | /* |
||
968 | * Free the components of a restart context |
||
969 | */ |
||
970 | void mbedtls_ecdsa_restart_free( mbedtls_ecdsa_restart_ctx *ctx ) |
||
971 | { |
||
972 | if( ctx == NULL ) |
||
973 | return; |
||
974 | |||
975 | mbedtls_ecp_restart_free( &ctx->ecp ); |
||
976 | |||
977 | ecdsa_restart_ver_free( ctx->ver ); |
||
978 | mbedtls_free( ctx->ver ); |
||
979 | ctx->ver = NULL; |
||
980 | |||
981 | ecdsa_restart_sig_free( ctx->sig ); |
||
982 | mbedtls_free( ctx->sig ); |
||
983 | ctx->sig = NULL; |
||
984 | |||
985 | #if defined(MBEDTLS_ECDSA_DETERMINISTIC) |
||
986 | ecdsa_restart_det_free( ctx->det ); |
||
987 | mbedtls_free( ctx->det ); |
||
988 | ctx->det = NULL; |
||
989 | #endif |
||
990 | } |
||
991 | #endif /* MBEDTLS_ECP_RESTARTABLE */ |
||
992 | |||
993 | #endif /* MBEDTLS_ECDSA_C */>>> |