diff options
Diffstat (limited to 'comm/third_party/botan/src/lib/pubkey/ecdsa/ecdsa.cpp')
-rw-r--r-- | comm/third_party/botan/src/lib/pubkey/ecdsa/ecdsa.cpp | 308 |
1 files changed, 308 insertions, 0 deletions
diff --git a/comm/third_party/botan/src/lib/pubkey/ecdsa/ecdsa.cpp b/comm/third_party/botan/src/lib/pubkey/ecdsa/ecdsa.cpp new file mode 100644 index 0000000000..ebe9268cc9 --- /dev/null +++ b/comm/third_party/botan/src/lib/pubkey/ecdsa/ecdsa.cpp @@ -0,0 +1,308 @@ +/* +* ECDSA implemenation +* (C) 2007 Manuel Hartl, FlexSecure GmbH +* 2007 Falko Strenzke, FlexSecure GmbH +* 2008-2010,2015,2016,2018 Jack Lloyd +* 2016 René Korthaus +* +* Botan is released under the Simplified BSD License (see license.txt) +*/ + +#include <botan/ecdsa.h> +#include <botan/internal/pk_ops_impl.h> +#include <botan/internal/point_mul.h> +#include <botan/keypair.h> +#include <botan/reducer.h> +#include <botan/emsa.h> + +#if defined(BOTAN_HAS_RFC6979_GENERATOR) + #include <botan/rfc6979.h> +#endif + +#if defined(BOTAN_HAS_OPENSSL) + #include <botan/internal/openssl.h> +#endif + +namespace Botan { + +namespace { + +PointGFp recover_ecdsa_public_key(const EC_Group& group, + const std::vector<uint8_t>& msg, + const BigInt& r, + const BigInt& s, + uint8_t v) + { + if(group.get_cofactor() != 1) + throw Invalid_Argument("ECDSA public key recovery only supported for prime order groups"); + + if(v > 4) + throw Invalid_Argument("Unexpected v param for ECDSA public key recovery"); + + const uint8_t y_odd = v % 2; + const uint8_t add_order = v >> 1; + + const BigInt& group_order = group.get_order(); + const size_t p_bytes = group.get_p_bytes(); + + try + { + const BigInt e(msg.data(), msg.size(), group.get_order_bits()); + const BigInt r_inv = group.inverse_mod_order(r); + + BigInt x = r + add_order*group_order; + + std::vector<uint8_t> X(p_bytes + 1); + + X[0] = 0x02 | y_odd; + BigInt::encode_1363(&X[1], p_bytes, x); + + const PointGFp R = group.OS2ECP(X); + + if((R*group_order).is_zero() == false) + throw Decoding_Error("Unable to recover ECDSA public key"); + + // Compute r_inv * (s*R - eG) + PointGFp_Multi_Point_Precompute RG_mul(R, group.get_base_point()); + const BigInt ne = group.mod_order(group_order - e); + return r_inv * RG_mul.multi_exp(s, ne); + } + catch(...) + { + // continue on and throw + } + + throw Decoding_Error("Failed to recover ECDSA public key from signature/msg pair"); + } + +} + +ECDSA_PublicKey::ECDSA_PublicKey(const EC_Group& group, + const std::vector<uint8_t>& msg, + const BigInt& r, + const BigInt& s, + uint8_t v) : + EC_PublicKey(group, recover_ecdsa_public_key(group, msg, r, s, v)) {} + + +uint8_t ECDSA_PublicKey::recovery_param(const std::vector<uint8_t>& msg, + const BigInt& r, + const BigInt& s) const + { + for(uint8_t v = 0; v != 4; ++v) + { + try + { + PointGFp R = recover_ecdsa_public_key(this->domain(), msg, r, s, v); + + if(R == this->public_point()) + { + return v; + } + } + catch(Decoding_Error&) + { + // try the next v + } + } + + throw Internal_Error("Could not determine ECDSA recovery parameter"); + } + +bool ECDSA_PrivateKey::check_key(RandomNumberGenerator& rng, + bool strong) const + { + if(!public_point().on_the_curve()) + return false; + + if(!strong) + return true; + + return KeyPair::signature_consistency_check(rng, *this, "EMSA1(SHA-256)"); + } + +namespace { + +/** +* ECDSA signature operation +*/ +class ECDSA_Signature_Operation final : public PK_Ops::Signature_with_EMSA + { + public: + + ECDSA_Signature_Operation(const ECDSA_PrivateKey& ecdsa, + const std::string& emsa, + RandomNumberGenerator& rng) : + PK_Ops::Signature_with_EMSA(emsa), + m_group(ecdsa.domain()), + m_x(ecdsa.private_value()) + { +#if defined(BOTAN_HAS_RFC6979_GENERATOR) + m_rfc6979.reset(new RFC6979_Nonce_Generator(hash_for_emsa(emsa), m_group.get_order(), m_x)); +#endif + + m_b = m_group.random_scalar(rng); + m_b_inv = m_group.inverse_mod_order(m_b); + } + + size_t signature_length() const override { return 2*m_group.get_order_bytes(); } + + size_t max_input_bits() const override { return m_group.get_order_bits(); } + + secure_vector<uint8_t> raw_sign(const uint8_t msg[], size_t msg_len, + RandomNumberGenerator& rng) override; + + private: + const EC_Group m_group; + const BigInt& m_x; + +#if defined(BOTAN_HAS_RFC6979_GENERATOR) + std::unique_ptr<RFC6979_Nonce_Generator> m_rfc6979; +#endif + + std::vector<BigInt> m_ws; + + BigInt m_b, m_b_inv; + }; + +secure_vector<uint8_t> +ECDSA_Signature_Operation::raw_sign(const uint8_t msg[], size_t msg_len, + RandomNumberGenerator& rng) + { + BigInt m(msg, msg_len, m_group.get_order_bits()); + +#if defined(BOTAN_HAS_RFC6979_GENERATOR) + const BigInt k = m_rfc6979->nonce_for(m); +#else + const BigInt k = m_group.random_scalar(rng); +#endif + + const BigInt r = m_group.mod_order( + m_group.blinded_base_point_multiply_x(k, rng, m_ws)); + + const BigInt k_inv = m_group.inverse_mod_order(k); + + /* + * Blind the input message and compute x*r+m as (x*r*b + m*b)/b + */ + m_b = m_group.square_mod_order(m_b); + m_b_inv = m_group.square_mod_order(m_b_inv); + + m = m_group.multiply_mod_order(m_b, m_group.mod_order(m)); + const BigInt xr_m = m_group.mod_order(m_group.multiply_mod_order(m_x, m_b, r) + m); + + const BigInt s = m_group.multiply_mod_order(k_inv, xr_m, m_b_inv); + + // With overwhelming probability, a bug rather than actual zero r/s + if(r.is_zero() || s.is_zero()) + throw Internal_Error("During ECDSA signature generated zero r/s"); + + return BigInt::encode_fixed_length_int_pair(r, s, m_group.get_order_bytes()); + } + +/** +* ECDSA verification operation +*/ +class ECDSA_Verification_Operation final : public PK_Ops::Verification_with_EMSA + { + public: + ECDSA_Verification_Operation(const ECDSA_PublicKey& ecdsa, + const std::string& emsa) : + PK_Ops::Verification_with_EMSA(emsa), + m_group(ecdsa.domain()), + m_gy_mul(m_group.get_base_point(), ecdsa.public_point()) + { + } + + size_t max_input_bits() const override { return m_group.get_order_bits(); } + + bool with_recovery() const override { return false; } + + bool verify(const uint8_t msg[], size_t msg_len, + const uint8_t sig[], size_t sig_len) override; + private: + const EC_Group m_group; + const PointGFp_Multi_Point_Precompute m_gy_mul; + }; + +bool ECDSA_Verification_Operation::verify(const uint8_t msg[], size_t msg_len, + const uint8_t sig[], size_t sig_len) + { + if(sig_len != m_group.get_order_bytes() * 2) + return false; + + const BigInt e(msg, msg_len, m_group.get_order_bits()); + + const BigInt r(sig, sig_len / 2); + const BigInt s(sig + sig_len / 2, sig_len / 2); + + if(r <= 0 || r >= m_group.get_order() || s <= 0 || s >= m_group.get_order()) + return false; + + const BigInt w = m_group.inverse_mod_order(s); + + const BigInt u1 = m_group.multiply_mod_order(m_group.mod_order(e), w); + const BigInt u2 = m_group.multiply_mod_order(r, w); + const PointGFp R = m_gy_mul.multi_exp(u1, u2); + + if(R.is_zero()) + return false; + + const BigInt v = m_group.mod_order(R.get_affine_x()); + return (v == r); + } + +} + +std::unique_ptr<PK_Ops::Verification> +ECDSA_PublicKey::create_verification_op(const std::string& params, + const std::string& provider) const + { +#if defined(BOTAN_HAS_OPENSSL) + if(provider == "openssl" || provider.empty()) + { + try + { + return make_openssl_ecdsa_ver_op(*this, params); + } + catch(Lookup_Error& e) + { + if(provider == "openssl") + throw; + } + } +#endif + + if(provider == "base" || provider.empty()) + return std::unique_ptr<PK_Ops::Verification>(new ECDSA_Verification_Operation(*this, params)); + + throw Provider_Not_Found(algo_name(), provider); + } + +std::unique_ptr<PK_Ops::Signature> +ECDSA_PrivateKey::create_signature_op(RandomNumberGenerator& rng, + const std::string& params, + const std::string& provider) const + { +#if defined(BOTAN_HAS_OPENSSL) + if(provider == "openssl" || provider.empty()) + { + try + { + return make_openssl_ecdsa_sig_op(*this, params); + } + catch(Lookup_Error& e) + { + if(provider == "openssl") + throw; + } + } +#endif + + if(provider == "base" || provider.empty()) + return std::unique_ptr<PK_Ops::Signature>(new ECDSA_Signature_Operation(*this, params, rng)); + + throw Provider_Not_Found(algo_name(), provider); + } + +} |