Path: blob/master/thirdparty/mbedtls/library/ecdsa.c
10278 views
/*1* Elliptic curve DSA2*3* Copyright The Mbed TLS Contributors4* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later5*/67/*8* References:9*10* SEC1 https://www.secg.org/sec1-v2.pdf11*/1213#include "common.h"1415#if defined(MBEDTLS_ECDSA_C)1617#include "mbedtls/ecdsa.h"18#include "mbedtls/asn1write.h"1920#include <string.h>2122#if defined(MBEDTLS_ECDSA_DETERMINISTIC)23#include "mbedtls/hmac_drbg.h"24#endif2526#include "mbedtls/platform.h"2728#include "mbedtls/platform_util.h"29#include "mbedtls/error.h"3031#if defined(MBEDTLS_ECP_RESTARTABLE)3233/*34* Sub-context for ecdsa_verify()35*/36struct mbedtls_ecdsa_restart_ver {37mbedtls_mpi u1, u2; /* intermediate values */38enum { /* what to do next? */39ecdsa_ver_init = 0, /* getting started */40ecdsa_ver_muladd, /* muladd step */41} state;42};4344/*45* Init verify restart sub-context46*/47static void ecdsa_restart_ver_init(mbedtls_ecdsa_restart_ver_ctx *ctx)48{49mbedtls_mpi_init(&ctx->u1);50mbedtls_mpi_init(&ctx->u2);51ctx->state = ecdsa_ver_init;52}5354/*55* Free the components of a verify restart sub-context56*/57static void ecdsa_restart_ver_free(mbedtls_ecdsa_restart_ver_ctx *ctx)58{59if (ctx == NULL) {60return;61}6263mbedtls_mpi_free(&ctx->u1);64mbedtls_mpi_free(&ctx->u2);6566ecdsa_restart_ver_init(ctx);67}6869/*70* Sub-context for ecdsa_sign()71*/72struct mbedtls_ecdsa_restart_sig {73int sign_tries;74int key_tries;75mbedtls_mpi k; /* per-signature random */76mbedtls_mpi r; /* r value */77enum { /* what to do next? */78ecdsa_sig_init = 0, /* getting started */79ecdsa_sig_mul, /* doing ecp_mul() */80ecdsa_sig_modn, /* mod N computations */81} state;82};8384/*85* Init verify sign sub-context86*/87static void ecdsa_restart_sig_init(mbedtls_ecdsa_restart_sig_ctx *ctx)88{89ctx->sign_tries = 0;90ctx->key_tries = 0;91mbedtls_mpi_init(&ctx->k);92mbedtls_mpi_init(&ctx->r);93ctx->state = ecdsa_sig_init;94}9596/*97* Free the components of a sign restart sub-context98*/99static void ecdsa_restart_sig_free(mbedtls_ecdsa_restart_sig_ctx *ctx)100{101if (ctx == NULL) {102return;103}104105mbedtls_mpi_free(&ctx->k);106mbedtls_mpi_free(&ctx->r);107}108109#if defined(MBEDTLS_ECDSA_DETERMINISTIC)110/*111* Sub-context for ecdsa_sign_det()112*/113struct mbedtls_ecdsa_restart_det {114mbedtls_hmac_drbg_context rng_ctx; /* DRBG state */115enum { /* what to do next? */116ecdsa_det_init = 0, /* getting started */117ecdsa_det_sign, /* make signature */118} state;119};120121/*122* Init verify sign_det sub-context123*/124static void ecdsa_restart_det_init(mbedtls_ecdsa_restart_det_ctx *ctx)125{126mbedtls_hmac_drbg_init(&ctx->rng_ctx);127ctx->state = ecdsa_det_init;128}129130/*131* Free the components of a sign_det restart sub-context132*/133static void ecdsa_restart_det_free(mbedtls_ecdsa_restart_det_ctx *ctx)134{135if (ctx == NULL) {136return;137}138139mbedtls_hmac_drbg_free(&ctx->rng_ctx);140141ecdsa_restart_det_init(ctx);142}143#endif /* MBEDTLS_ECDSA_DETERMINISTIC */144145#define ECDSA_RS_ECP (rs_ctx == NULL ? NULL : &rs_ctx->ecp)146147/* Utility macro for checking and updating ops budget */148#define ECDSA_BUDGET(ops) \149MBEDTLS_MPI_CHK(mbedtls_ecp_check_budget(grp, ECDSA_RS_ECP, ops));150151/* Call this when entering a function that needs its own sub-context */152#define ECDSA_RS_ENTER(SUB) do { \153/* reset ops count for this call if top-level */ \154if (rs_ctx != NULL && rs_ctx->ecp.depth++ == 0) \155rs_ctx->ecp.ops_done = 0; \156\157/* set up our own sub-context if needed */ \158if (mbedtls_ecp_restart_is_enabled() && \159rs_ctx != NULL && rs_ctx->SUB == NULL) \160{ \161rs_ctx->SUB = mbedtls_calloc(1, sizeof(*rs_ctx->SUB)); \162if (rs_ctx->SUB == NULL) \163return MBEDTLS_ERR_ECP_ALLOC_FAILED; \164\165ecdsa_restart_## SUB ##_init(rs_ctx->SUB); \166} \167} while (0)168169/* Call this when leaving a function that needs its own sub-context */170#define ECDSA_RS_LEAVE(SUB) do { \171/* clear our sub-context when not in progress (done or error) */ \172if (rs_ctx != NULL && rs_ctx->SUB != NULL && \173ret != MBEDTLS_ERR_ECP_IN_PROGRESS) \174{ \175ecdsa_restart_## SUB ##_free(rs_ctx->SUB); \176mbedtls_free(rs_ctx->SUB); \177rs_ctx->SUB = NULL; \178} \179\180if (rs_ctx != NULL) \181rs_ctx->ecp.depth--; \182} while (0)183184#else /* MBEDTLS_ECP_RESTARTABLE */185186#define ECDSA_RS_ECP NULL187188#define ECDSA_BUDGET(ops) /* no-op; for compatibility */189190#define ECDSA_RS_ENTER(SUB) (void) rs_ctx191#define ECDSA_RS_LEAVE(SUB) (void) rs_ctx192193#endif /* MBEDTLS_ECP_RESTARTABLE */194195#if defined(MBEDTLS_ECDSA_DETERMINISTIC) || \196!defined(MBEDTLS_ECDSA_SIGN_ALT) || \197!defined(MBEDTLS_ECDSA_VERIFY_ALT)198/*199* Derive a suitable integer for group grp from a buffer of length len200* SEC1 4.1.3 step 5 aka SEC1 4.1.4 step 3201*/202static int derive_mpi(const mbedtls_ecp_group *grp, mbedtls_mpi *x,203const unsigned char *buf, size_t blen)204{205int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;206size_t n_size = (grp->nbits + 7) / 8;207size_t use_size = blen > n_size ? n_size : blen;208209MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(x, buf, use_size));210if (use_size * 8 > grp->nbits) {211MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(x, use_size * 8 - grp->nbits));212}213214/* While at it, reduce modulo N */215if (mbedtls_mpi_cmp_mpi(x, &grp->N) >= 0) {216MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(x, x, &grp->N));217}218219cleanup:220return ret;221}222#endif /* ECDSA_DETERMINISTIC || !ECDSA_SIGN_ALT || !ECDSA_VERIFY_ALT */223224int mbedtls_ecdsa_can_do(mbedtls_ecp_group_id gid)225{226switch (gid) {227#ifdef MBEDTLS_ECP_DP_CURVE25519_ENABLED228case MBEDTLS_ECP_DP_CURVE25519: return 0;229#endif230#ifdef MBEDTLS_ECP_DP_CURVE448_ENABLED231case MBEDTLS_ECP_DP_CURVE448: return 0;232#endif233default: return 1;234}235}236237#if !defined(MBEDTLS_ECDSA_SIGN_ALT)238/*239* Compute ECDSA signature of a hashed message (SEC1 4.1.3)240* Obviously, compared to SEC1 4.1.3, we skip step 4 (hash message)241*/242int mbedtls_ecdsa_sign_restartable(mbedtls_ecp_group *grp,243mbedtls_mpi *r, mbedtls_mpi *s,244const mbedtls_mpi *d, const unsigned char *buf, size_t blen,245int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,246int (*f_rng_blind)(void *, unsigned char *, size_t),247void *p_rng_blind,248mbedtls_ecdsa_restart_ctx *rs_ctx)249{250int ret, key_tries, sign_tries;251int *p_sign_tries = &sign_tries, *p_key_tries = &key_tries;252mbedtls_ecp_point R;253mbedtls_mpi k, e, t;254mbedtls_mpi *pk = &k, *pr = r;255256/* Fail cleanly on curves such as Curve25519 that can't be used for ECDSA */257if (!mbedtls_ecdsa_can_do(grp->id) || grp->N.p == NULL) {258return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;259}260261/* Make sure d is in range 1..n-1 */262if (mbedtls_mpi_cmp_int(d, 1) < 0 || mbedtls_mpi_cmp_mpi(d, &grp->N) >= 0) {263return MBEDTLS_ERR_ECP_INVALID_KEY;264}265266mbedtls_ecp_point_init(&R);267mbedtls_mpi_init(&k); mbedtls_mpi_init(&e); mbedtls_mpi_init(&t);268269ECDSA_RS_ENTER(sig);270271#if defined(MBEDTLS_ECP_RESTARTABLE)272if (rs_ctx != NULL && rs_ctx->sig != NULL) {273/* redirect to our context */274p_sign_tries = &rs_ctx->sig->sign_tries;275p_key_tries = &rs_ctx->sig->key_tries;276pk = &rs_ctx->sig->k;277pr = &rs_ctx->sig->r;278279/* jump to current step */280if (rs_ctx->sig->state == ecdsa_sig_mul) {281goto mul;282}283if (rs_ctx->sig->state == ecdsa_sig_modn) {284goto modn;285}286}287#endif /* MBEDTLS_ECP_RESTARTABLE */288289*p_sign_tries = 0;290do {291if ((*p_sign_tries)++ > 10) {292ret = MBEDTLS_ERR_ECP_RANDOM_FAILED;293goto cleanup;294}295296/*297* Steps 1-3: generate a suitable ephemeral keypair298* and set r = xR mod n299*/300*p_key_tries = 0;301do {302if ((*p_key_tries)++ > 10) {303ret = MBEDTLS_ERR_ECP_RANDOM_FAILED;304goto cleanup;305}306307MBEDTLS_MPI_CHK(mbedtls_ecp_gen_privkey(grp, pk, f_rng, p_rng));308309#if defined(MBEDTLS_ECP_RESTARTABLE)310if (rs_ctx != NULL && rs_ctx->sig != NULL) {311rs_ctx->sig->state = ecdsa_sig_mul;312}313314mul:315#endif316MBEDTLS_MPI_CHK(mbedtls_ecp_mul_restartable(grp, &R, pk, &grp->G,317f_rng_blind,318p_rng_blind,319ECDSA_RS_ECP));320MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(pr, &R.X, &grp->N));321} while (mbedtls_mpi_cmp_int(pr, 0) == 0);322323#if defined(MBEDTLS_ECP_RESTARTABLE)324if (rs_ctx != NULL && rs_ctx->sig != NULL) {325rs_ctx->sig->state = ecdsa_sig_modn;326}327328modn:329#endif330/*331* Accounting for everything up to the end of the loop332* (step 6, but checking now avoids saving e and t)333*/334ECDSA_BUDGET(MBEDTLS_ECP_OPS_INV + 4);335336/*337* Step 5: derive MPI from hashed message338*/339MBEDTLS_MPI_CHK(derive_mpi(grp, &e, buf, blen));340341/*342* Generate a random value to blind inv_mod in next step,343* avoiding a potential timing leak.344*/345MBEDTLS_MPI_CHK(mbedtls_ecp_gen_privkey(grp, &t, f_rng_blind,346p_rng_blind));347348/*349* Step 6: compute s = (e + r * d) / k = t (e + rd) / (kt) mod n350*/351MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(s, pr, d));352MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&e, &e, s));353MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&e, &e, &t));354MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(pk, pk, &t));355MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(pk, pk, &grp->N));356MBEDTLS_MPI_CHK(mbedtls_mpi_inv_mod(s, pk, &grp->N));357MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(s, s, &e));358MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(s, s, &grp->N));359} while (mbedtls_mpi_cmp_int(s, 0) == 0);360361#if defined(MBEDTLS_ECP_RESTARTABLE)362if (rs_ctx != NULL && rs_ctx->sig != NULL) {363MBEDTLS_MPI_CHK(mbedtls_mpi_copy(r, pr));364}365#endif366367cleanup:368mbedtls_ecp_point_free(&R);369mbedtls_mpi_free(&k); mbedtls_mpi_free(&e); mbedtls_mpi_free(&t);370371ECDSA_RS_LEAVE(sig);372373return ret;374}375376/*377* Compute ECDSA signature of a hashed message378*/379int mbedtls_ecdsa_sign(mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi *s,380const mbedtls_mpi *d, const unsigned char *buf, size_t blen,381int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)382{383/* Use the same RNG for both blinding and ephemeral key generation */384return mbedtls_ecdsa_sign_restartable(grp, r, s, d, buf, blen,385f_rng, p_rng, f_rng, p_rng, NULL);386}387#endif /* !MBEDTLS_ECDSA_SIGN_ALT */388389#if defined(MBEDTLS_ECDSA_DETERMINISTIC)390/*391* Deterministic signature wrapper392*393* note: The f_rng_blind parameter must not be NULL.394*395*/396int mbedtls_ecdsa_sign_det_restartable(mbedtls_ecp_group *grp,397mbedtls_mpi *r, mbedtls_mpi *s,398const mbedtls_mpi *d, const unsigned char *buf, size_t blen,399mbedtls_md_type_t md_alg,400int (*f_rng_blind)(void *, unsigned char *, size_t),401void *p_rng_blind,402mbedtls_ecdsa_restart_ctx *rs_ctx)403{404int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;405mbedtls_hmac_drbg_context rng_ctx;406mbedtls_hmac_drbg_context *p_rng = &rng_ctx;407unsigned char data[2 * MBEDTLS_ECP_MAX_BYTES];408size_t grp_len = (grp->nbits + 7) / 8;409const mbedtls_md_info_t *md_info;410mbedtls_mpi h;411412if ((md_info = mbedtls_md_info_from_type(md_alg)) == NULL) {413return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;414}415416mbedtls_mpi_init(&h);417mbedtls_hmac_drbg_init(&rng_ctx);418419ECDSA_RS_ENTER(det);420421#if defined(MBEDTLS_ECP_RESTARTABLE)422if (rs_ctx != NULL && rs_ctx->det != NULL) {423/* redirect to our context */424p_rng = &rs_ctx->det->rng_ctx;425426/* jump to current step */427if (rs_ctx->det->state == ecdsa_det_sign) {428goto sign;429}430}431#endif /* MBEDTLS_ECP_RESTARTABLE */432433/* Use private key and message hash (reduced) to initialize HMAC_DRBG */434MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(d, data, grp_len));435MBEDTLS_MPI_CHK(derive_mpi(grp, &h, buf, blen));436MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&h, data + grp_len, grp_len));437MBEDTLS_MPI_CHK(mbedtls_hmac_drbg_seed_buf(p_rng, md_info, data, 2 * grp_len));438439#if defined(MBEDTLS_ECP_RESTARTABLE)440if (rs_ctx != NULL && rs_ctx->det != NULL) {441rs_ctx->det->state = ecdsa_det_sign;442}443444sign:445#endif446#if defined(MBEDTLS_ECDSA_SIGN_ALT)447(void) f_rng_blind;448(void) p_rng_blind;449ret = mbedtls_ecdsa_sign(grp, r, s, d, buf, blen,450mbedtls_hmac_drbg_random, p_rng);451#else452ret = mbedtls_ecdsa_sign_restartable(grp, r, s, d, buf, blen,453mbedtls_hmac_drbg_random, p_rng,454f_rng_blind, p_rng_blind, rs_ctx);455#endif /* MBEDTLS_ECDSA_SIGN_ALT */456457cleanup:458mbedtls_hmac_drbg_free(&rng_ctx);459mbedtls_mpi_free(&h);460461ECDSA_RS_LEAVE(det);462463return ret;464}465466/*467* Deterministic signature wrapper468*/469int mbedtls_ecdsa_sign_det_ext(mbedtls_ecp_group *grp, mbedtls_mpi *r,470mbedtls_mpi *s, const mbedtls_mpi *d,471const unsigned char *buf, size_t blen,472mbedtls_md_type_t md_alg,473int (*f_rng_blind)(void *, unsigned char *,474size_t),475void *p_rng_blind)476{477return mbedtls_ecdsa_sign_det_restartable(grp, r, s, d, buf, blen, md_alg,478f_rng_blind, p_rng_blind, NULL);479}480#endif /* MBEDTLS_ECDSA_DETERMINISTIC */481482#if !defined(MBEDTLS_ECDSA_VERIFY_ALT)483/*484* Verify ECDSA signature of hashed message (SEC1 4.1.4)485* Obviously, compared to SEC1 4.1.3, we skip step 2 (hash message)486*/487int mbedtls_ecdsa_verify_restartable(mbedtls_ecp_group *grp,488const unsigned char *buf, size_t blen,489const mbedtls_ecp_point *Q,490const mbedtls_mpi *r,491const mbedtls_mpi *s,492mbedtls_ecdsa_restart_ctx *rs_ctx)493{494int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;495mbedtls_mpi e, s_inv, u1, u2;496mbedtls_ecp_point R;497mbedtls_mpi *pu1 = &u1, *pu2 = &u2;498499mbedtls_ecp_point_init(&R);500mbedtls_mpi_init(&e); mbedtls_mpi_init(&s_inv);501mbedtls_mpi_init(&u1); mbedtls_mpi_init(&u2);502503/* Fail cleanly on curves such as Curve25519 that can't be used for ECDSA */504if (!mbedtls_ecdsa_can_do(grp->id) || grp->N.p == NULL) {505return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;506}507508ECDSA_RS_ENTER(ver);509510#if defined(MBEDTLS_ECP_RESTARTABLE)511if (rs_ctx != NULL && rs_ctx->ver != NULL) {512/* redirect to our context */513pu1 = &rs_ctx->ver->u1;514pu2 = &rs_ctx->ver->u2;515516/* jump to current step */517if (rs_ctx->ver->state == ecdsa_ver_muladd) {518goto muladd;519}520}521#endif /* MBEDTLS_ECP_RESTARTABLE */522523/*524* Step 1: make sure r and s are in range 1..n-1525*/526if (mbedtls_mpi_cmp_int(r, 1) < 0 || mbedtls_mpi_cmp_mpi(r, &grp->N) >= 0 ||527mbedtls_mpi_cmp_int(s, 1) < 0 || mbedtls_mpi_cmp_mpi(s, &grp->N) >= 0) {528ret = MBEDTLS_ERR_ECP_VERIFY_FAILED;529goto cleanup;530}531532/*533* Step 3: derive MPI from hashed message534*/535MBEDTLS_MPI_CHK(derive_mpi(grp, &e, buf, blen));536537/*538* Step 4: u1 = e / s mod n, u2 = r / s mod n539*/540ECDSA_BUDGET(MBEDTLS_ECP_OPS_CHK + MBEDTLS_ECP_OPS_INV + 2);541542MBEDTLS_MPI_CHK(mbedtls_mpi_inv_mod(&s_inv, s, &grp->N));543544MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(pu1, &e, &s_inv));545MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(pu1, pu1, &grp->N));546547MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(pu2, r, &s_inv));548MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(pu2, pu2, &grp->N));549550#if defined(MBEDTLS_ECP_RESTARTABLE)551if (rs_ctx != NULL && rs_ctx->ver != NULL) {552rs_ctx->ver->state = ecdsa_ver_muladd;553}554555muladd:556#endif557/*558* Step 5: R = u1 G + u2 Q559*/560MBEDTLS_MPI_CHK(mbedtls_ecp_muladd_restartable(grp,561&R, pu1, &grp->G, pu2, Q, ECDSA_RS_ECP));562563if (mbedtls_ecp_is_zero(&R)) {564ret = MBEDTLS_ERR_ECP_VERIFY_FAILED;565goto cleanup;566}567568/*569* Step 6: convert xR to an integer (no-op)570* Step 7: reduce xR mod n (gives v)571*/572MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&R.X, &R.X, &grp->N));573574/*575* Step 8: check if v (that is, R.X) is equal to r576*/577if (mbedtls_mpi_cmp_mpi(&R.X, r) != 0) {578ret = MBEDTLS_ERR_ECP_VERIFY_FAILED;579goto cleanup;580}581582cleanup:583mbedtls_ecp_point_free(&R);584mbedtls_mpi_free(&e); mbedtls_mpi_free(&s_inv);585mbedtls_mpi_free(&u1); mbedtls_mpi_free(&u2);586587ECDSA_RS_LEAVE(ver);588589return ret;590}591592/*593* Verify ECDSA signature of hashed message594*/595int mbedtls_ecdsa_verify(mbedtls_ecp_group *grp,596const unsigned char *buf, size_t blen,597const mbedtls_ecp_point *Q,598const mbedtls_mpi *r,599const mbedtls_mpi *s)600{601return mbedtls_ecdsa_verify_restartable(grp, buf, blen, Q, r, s, NULL);602}603#endif /* !MBEDTLS_ECDSA_VERIFY_ALT */604605/*606* Convert a signature (given by context) to ASN.1607*/608static int ecdsa_signature_to_asn1(const mbedtls_mpi *r, const mbedtls_mpi *s,609unsigned char *sig, size_t sig_size,610size_t *slen)611{612int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;613unsigned char buf[MBEDTLS_ECDSA_MAX_LEN] = { 0 };614unsigned char *p = buf + sizeof(buf);615size_t len = 0;616617MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_mpi(&p, buf, s));618MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_mpi(&p, buf, r));619620MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(&p, buf, len));621MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(&p, buf,622MBEDTLS_ASN1_CONSTRUCTED |623MBEDTLS_ASN1_SEQUENCE));624625if (len > sig_size) {626return MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;627}628629memcpy(sig, p, len);630*slen = len;631632return 0;633}634635/*636* Compute and write signature637*/638int mbedtls_ecdsa_write_signature_restartable(mbedtls_ecdsa_context *ctx,639mbedtls_md_type_t md_alg,640const unsigned char *hash, size_t hlen,641unsigned char *sig, size_t sig_size, size_t *slen,642int (*f_rng)(void *, unsigned char *, size_t),643void *p_rng,644mbedtls_ecdsa_restart_ctx *rs_ctx)645{646int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;647mbedtls_mpi r, s;648if (f_rng == NULL) {649return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;650}651652mbedtls_mpi_init(&r);653mbedtls_mpi_init(&s);654655#if defined(MBEDTLS_ECDSA_DETERMINISTIC)656MBEDTLS_MPI_CHK(mbedtls_ecdsa_sign_det_restartable(&ctx->grp, &r, &s, &ctx->d,657hash, hlen, md_alg, f_rng,658p_rng, rs_ctx));659#else660(void) md_alg;661662#if defined(MBEDTLS_ECDSA_SIGN_ALT)663(void) rs_ctx;664665MBEDTLS_MPI_CHK(mbedtls_ecdsa_sign(&ctx->grp, &r, &s, &ctx->d,666hash, hlen, f_rng, p_rng));667#else668/* Use the same RNG for both blinding and ephemeral key generation */669MBEDTLS_MPI_CHK(mbedtls_ecdsa_sign_restartable(&ctx->grp, &r, &s, &ctx->d,670hash, hlen, f_rng, p_rng, f_rng,671p_rng, rs_ctx));672#endif /* MBEDTLS_ECDSA_SIGN_ALT */673#endif /* MBEDTLS_ECDSA_DETERMINISTIC */674675MBEDTLS_MPI_CHK(ecdsa_signature_to_asn1(&r, &s, sig, sig_size, slen));676677cleanup:678mbedtls_mpi_free(&r);679mbedtls_mpi_free(&s);680681return ret;682}683684/*685* Compute and write signature686*/687int mbedtls_ecdsa_write_signature(mbedtls_ecdsa_context *ctx,688mbedtls_md_type_t md_alg,689const unsigned char *hash, size_t hlen,690unsigned char *sig, size_t sig_size, size_t *slen,691int (*f_rng)(void *, unsigned char *, size_t),692void *p_rng)693{694return mbedtls_ecdsa_write_signature_restartable(695ctx, md_alg, hash, hlen, sig, sig_size, slen,696f_rng, p_rng, NULL);697}698699/*700* Read and check signature701*/702int mbedtls_ecdsa_read_signature(mbedtls_ecdsa_context *ctx,703const unsigned char *hash, size_t hlen,704const unsigned char *sig, size_t slen)705{706return mbedtls_ecdsa_read_signature_restartable(707ctx, hash, hlen, sig, slen, NULL);708}709710/*711* Restartable read and check signature712*/713int mbedtls_ecdsa_read_signature_restartable(mbedtls_ecdsa_context *ctx,714const unsigned char *hash, size_t hlen,715const unsigned char *sig, size_t slen,716mbedtls_ecdsa_restart_ctx *rs_ctx)717{718int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;719unsigned char *p = (unsigned char *) sig;720const unsigned char *end = sig + slen;721size_t len;722mbedtls_mpi r, s;723mbedtls_mpi_init(&r);724mbedtls_mpi_init(&s);725726if ((ret = mbedtls_asn1_get_tag(&p, end, &len,727MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {728ret += MBEDTLS_ERR_ECP_BAD_INPUT_DATA;729goto cleanup;730}731732if (p + len != end) {733ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_ECP_BAD_INPUT_DATA,734MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);735goto cleanup;736}737738if ((ret = mbedtls_asn1_get_mpi(&p, end, &r)) != 0 ||739(ret = mbedtls_asn1_get_mpi(&p, end, &s)) != 0) {740ret += MBEDTLS_ERR_ECP_BAD_INPUT_DATA;741goto cleanup;742}743#if defined(MBEDTLS_ECDSA_VERIFY_ALT)744(void) rs_ctx;745746if ((ret = mbedtls_ecdsa_verify(&ctx->grp, hash, hlen,747&ctx->Q, &r, &s)) != 0) {748goto cleanup;749}750#else751if ((ret = mbedtls_ecdsa_verify_restartable(&ctx->grp, hash, hlen,752&ctx->Q, &r, &s, rs_ctx)) != 0) {753goto cleanup;754}755#endif /* MBEDTLS_ECDSA_VERIFY_ALT */756757/* At this point we know that the buffer starts with a valid signature.758* Return 0 if the buffer just contains the signature, and a specific759* error code if the valid signature is followed by more data. */760if (p != end) {761ret = MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH;762}763764cleanup:765mbedtls_mpi_free(&r);766mbedtls_mpi_free(&s);767768return ret;769}770771#if !defined(MBEDTLS_ECDSA_GENKEY_ALT)772/*773* Generate key pair774*/775int mbedtls_ecdsa_genkey(mbedtls_ecdsa_context *ctx, mbedtls_ecp_group_id gid,776int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)777{778int ret = 0;779ret = mbedtls_ecp_group_load(&ctx->grp, gid);780if (ret != 0) {781return ret;782}783784return mbedtls_ecp_gen_keypair(&ctx->grp, &ctx->d,785&ctx->Q, f_rng, p_rng);786}787#endif /* !MBEDTLS_ECDSA_GENKEY_ALT */788789/*790* Set context from an mbedtls_ecp_keypair791*/792int mbedtls_ecdsa_from_keypair(mbedtls_ecdsa_context *ctx, const mbedtls_ecp_keypair *key)793{794int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;795if ((ret = mbedtls_ecp_group_copy(&ctx->grp, &key->grp)) != 0 ||796(ret = mbedtls_mpi_copy(&ctx->d, &key->d)) != 0 ||797(ret = mbedtls_ecp_copy(&ctx->Q, &key->Q)) != 0) {798mbedtls_ecdsa_free(ctx);799}800801return ret;802}803804/*805* Initialize context806*/807void mbedtls_ecdsa_init(mbedtls_ecdsa_context *ctx)808{809mbedtls_ecp_keypair_init(ctx);810}811812/*813* Free context814*/815void mbedtls_ecdsa_free(mbedtls_ecdsa_context *ctx)816{817if (ctx == NULL) {818return;819}820821mbedtls_ecp_keypair_free(ctx);822}823824#if defined(MBEDTLS_ECP_RESTARTABLE)825/*826* Initialize a restart context827*/828void mbedtls_ecdsa_restart_init(mbedtls_ecdsa_restart_ctx *ctx)829{830mbedtls_ecp_restart_init(&ctx->ecp);831832ctx->ver = NULL;833ctx->sig = NULL;834#if defined(MBEDTLS_ECDSA_DETERMINISTIC)835ctx->det = NULL;836#endif837}838839/*840* Free the components of a restart context841*/842void mbedtls_ecdsa_restart_free(mbedtls_ecdsa_restart_ctx *ctx)843{844if (ctx == NULL) {845return;846}847848mbedtls_ecp_restart_free(&ctx->ecp);849850ecdsa_restart_ver_free(ctx->ver);851mbedtls_free(ctx->ver);852ctx->ver = NULL;853854ecdsa_restart_sig_free(ctx->sig);855mbedtls_free(ctx->sig);856ctx->sig = NULL;857858#if defined(MBEDTLS_ECDSA_DETERMINISTIC)859ecdsa_restart_det_free(ctx->det);860mbedtls_free(ctx->det);861ctx->det = NULL;862#endif863}864#endif /* MBEDTLS_ECP_RESTARTABLE */865866#endif /* MBEDTLS_ECDSA_C */867868869