Merge pull request #235 from libtom/pr/ecc_sign+verify_hash_rfc7518

ECC ecc_sign+verify_hash_raw > ecc_sign+verify_hash_rfc7518

src/headers/tomcrypt_pk.h

@@ -17,6 +17,9 @@ enum {
 /* Indicates standard output formats that can be read e.g. by OpenSSL or GnuTLS */
 #define PK_STD          0x1000
 
+/* iterations limit for retry-loops */
+#define PK_MAX_RETRIES  20
+
 int rand_prime(void *N, long len, prng_state *prng, int wprng);
 int rand_bn_bits(void *N, int bits, prng_state *prng, int wprng);
 int rand_bn_range(void *N, void *limit, prng_state *prng, int wprng);
@@ -314,17 +317,17 @@ int  ecc_decrypt_key(const unsigned char *in,  unsigned long  inlen,
                            unsigned char *out, unsigned long *outlen,
                            ecc_key *key);
 
-int ecc_sign_hash_raw(const unsigned char *in,  unsigned long inlen,
-                            void   *r,   void *s,
-                            prng_state *prng, int wprng, ecc_key *key);
+int ecc_sign_hash_rfc7518(const unsigned char *in,  unsigned long inlen,
+                                unsigned char *out, unsigned long *outlen,
+                                prng_state *prng, int wprng, ecc_key *key);
 
 int  ecc_sign_hash(const unsigned char *in,  unsigned long inlen,
                          unsigned char *out, unsigned long *outlen,
                          prng_state *prng, int wprng, ecc_key *key);
 
-int ecc_verify_hash_raw(      void   *r, void   *s,
-                        const unsigned char *hash, unsigned long hashlen,
-                        int *stat, ecc_key *key);
+int ecc_verify_hash_rfc7518(const unsigned char *sig,  unsigned long siglen,
+                            const unsigned char *hash, unsigned long hashlen,
+                            int *stat, ecc_key *key);
 
 int  ecc_verify_hash(const unsigned char *sig,  unsigned long siglen,
                      const unsigned char *hash, unsigned long hashlen,

src/pk/ecc/ecc_sign_hash.c

@@ -7,43 +7,29 @@
  * guarantee it works.
  */
 
-/* Implements ECC over Z/pZ for curve y^2 = x^3 - 3x + b
- *
- * All curves taken from NIST recommendation paper of July 1999
- * Available at http://csrc.nist.gov/cryptval/dss.htm
- */
 #include "tomcrypt.h"
 
+#ifdef LTC_MECC
+
 /**
   @file ecc_sign_hash.c
   ECC Crypto, Tom St Denis
 */
 
-#ifdef LTC_MECC
-
-/**
-  Sign a hash with ECC
-  @param in       The hash to sign
-  @param inlen    The length of the hash to sign
-  @param r        The "r" integer of the signature (caller must initialize with mp_init() first)
-  @param s        The "s" integer of the signature (caller must initialize with mp_init() first)
-  @param prng     An active PRNG state
-  @param wprng    The index of the PRNG desired
-  @param key      A private ECC key
-  @return CRYPT_OK if successful
-*/
-int ecc_sign_hash_raw(const unsigned char *in,  unsigned long inlen,
-                            void *r, void *s,
-                            prng_state *prng, int wprng, ecc_key *key)
+static int _ecc_sign_hash(const unsigned char *in,  unsigned long inlen,
+                                unsigned char *out, unsigned long *outlen,
+                                prng_state *prng, int wprng, ecc_key *key, int sigformat)
 {
    ecc_key       pubkey;
-   void          *e, *p;
-   int           err;
+   void          *r, *s, *e, *p;
+   int           err, max_iterations = PK_MAX_RETRIES;
+   unsigned long pbits, pbytes, i, shift_right;
+   unsigned char ch, buf[MAXBLOCKSIZE];
 
-   LTC_ARGCHK(in  != NULL);
-   LTC_ARGCHK(r   != NULL);
-   LTC_ARGCHK(s   != NULL);
-   LTC_ARGCHK(key != NULL);
+   LTC_ARGCHK(in     != NULL);
+   LTC_ARGCHK(out    != NULL);
+   LTC_ARGCHK(outlen != NULL);
+   LTC_ARGCHK(key    != NULL);
 
    /* is this a private key? */
    if (key->type != PK_PRIVATE) {
@@ -59,46 +45,83 @@ int ecc_sign_hash_raw(const unsigned char *in,  unsigned long inlen,
       return err;
    }
 
-   /* get the hash and load it as a bignum into 'e' */
    /* init the bignums */
-   if ((err = mp_init_multi(&p, &e, NULL)) != CRYPT_OK) {
+   if ((err = mp_init_multi(&r, &s, &p, &e, NULL)) != CRYPT_OK) {
       return err;
    }
-   if ((err = mp_read_radix(p, (char *)key->dp->order, 16)) != CRYPT_OK)                      { goto errnokey; }
-   if ((err = mp_read_unsigned_bin(e, (unsigned char *)in, (int)inlen)) != CRYPT_OK)          { goto errnokey; }
+   if ((err = mp_read_radix(p, (char *)key->dp->order, 16)) != CRYPT_OK)              { goto errnokey; }
+
+   /* get the hash and load it as a bignum into 'e' */
+   pbits = mp_count_bits(p);
+   pbytes = (pbits+7) >> 3;
+   if (pbits > inlen*8) {
+      if ((err = mp_read_unsigned_bin(e, (unsigned char *)in, inlen)) != CRYPT_OK)    { goto errnokey; }
+   }
+   else if (pbits % 8 == 0) {
+      if ((err = mp_read_unsigned_bin(e, (unsigned char *)in, pbytes)) != CRYPT_OK)   { goto errnokey; }
+   }
+   else {
+      shift_right = 8 - pbits % 8;
+      for (i=0, ch=0; i<pbytes; i++) {
+        buf[i] = ch;
+        ch = (in[i] << (8-shift_right));
+        buf[i] = buf[i] ^ (in[i] >> shift_right);
+      }
+      if ((err = mp_read_unsigned_bin(e, (unsigned char *)buf, pbytes)) != CRYPT_OK)  { goto errnokey; }
+   }
 
    /* make up a key and export the public copy */
-   for (;;) {
+   do {
       if ((err = ecc_make_key_ex(prng, wprng, &pubkey, key->dp)) != CRYPT_OK) {
          goto errnokey;
       }
 
       /* find r = x1 mod n */
-      if ((err = mp_mod(pubkey.pubkey.x, p, r)) != CRYPT_OK)                 { goto error; }
+      if ((err = mp_mod(pubkey.pubkey.x, p, r)) != CRYPT_OK)                          { goto error; }
 
       if (mp_iszero(r) == LTC_MP_YES) {
          ecc_free(&pubkey);
       } else {
-        /* find s = (e + xr)/k */
-        if ((err = mp_invmod(pubkey.k, p, pubkey.k)) != CRYPT_OK)            { goto error; } /* k = 1/k */
-        if ((err = mp_mulmod(key->k, r, p, s)) != CRYPT_OK)                  { goto error; } /* s = xr */
-        if ((err = mp_add(e, s, s)) != CRYPT_OK)                             { goto error; } /* s = e +  xr */
-        if ((err = mp_mod(s, p, s)) != CRYPT_OK)                             { goto error; } /* s = e +  xr */
-        if ((err = mp_mulmod(s, pubkey.k, p, s)) != CRYPT_OK)                { goto error; } /* s = (e + xr)/k */
-        ecc_free(&pubkey);
-        if (mp_iszero(s) == LTC_MP_NO) {
-           break;
-        }
+         /* find s = (e + xr)/k */
+         if ((err = mp_invmod(pubkey.k, p, pubkey.k)) != CRYPT_OK)         { goto error; } /* k = 1/k */
+         if ((err = mp_mulmod(key->k, r, p, s)) != CRYPT_OK)               { goto error; } /* s = xr */
+         if ((err = mp_add(e, s, s)) != CRYPT_OK)                          { goto error; } /* s = e +  xr */
+         if ((err = mp_mod(s, p, s)) != CRYPT_OK)                          { goto error; } /* s = e +  xr */
+         if ((err = mp_mulmod(s, pubkey.k, p, s)) != CRYPT_OK)             { goto error; } /* s = (e + xr)/k */
+         ecc_free(&pubkey);
+         if (mp_iszero(s) == LTC_MP_NO) {
+            break;
+         }
       }
+   } while (--max_iterations > 0);
+
+   if (max_iterations == 0) {
+      goto errnokey;
    }
 
-   err = CRYPT_OK;
+   if (sigformat == 1) {
+      /* RFC7518 format */
+      if (*outlen < 2*pbytes) { err = CRYPT_MEM; goto errnokey; }
+      zeromem(out, 2*pbytes);
+      i = mp_unsigned_bin_size(r);
+      if ((err = mp_to_unsigned_bin(r, out + (pbytes - i)))   != CRYPT_OK) { goto errnokey; }
+      i = mp_unsigned_bin_size(s);
+      if ((err = mp_to_unsigned_bin(s, out + (2*pbytes - i))) != CRYPT_OK) { goto errnokey; }
+      *outlen = 2*pbytes;
+      err = CRYPT_OK;
+   }
+   else {
+      /* store as ASN.1 SEQUENCE { r, s -- integer } */
+      err = der_encode_sequence_multi(out, outlen,
+                               LTC_ASN1_INTEGER, 1UL, r,
+                               LTC_ASN1_INTEGER, 1UL, s,
+                               LTC_ASN1_EOL, 0UL, NULL);
+   }
    goto errnokey;
-
 error:
    ecc_free(&pubkey);
 errnokey:
-   mp_clear_multi(p, e, NULL);
+   mp_clear_multi(r, s, p, e, NULL);
    return err;
 }
 
@@ -117,35 +140,29 @@ int ecc_sign_hash(const unsigned char *in,  unsigned long inlen,
                         unsigned char *out, unsigned long *outlen,
                         prng_state *prng, int wprng, ecc_key *key)
 {
-   void          *r, *s;
-   int           err;
-
-   LTC_ARGCHK(in     != NULL);
-   LTC_ARGCHK(out    != NULL);
-   LTC_ARGCHK(outlen != NULL);
-   LTC_ARGCHK(key    != NULL);
-
-   if (mp_init_multi(&r, &s, NULL) != CRYPT_OK) {
-      return CRYPT_MEM;
-   }
-
-   if ((err = ecc_sign_hash_raw(in, inlen, r, s, prng, wprng, key)) != CRYPT_OK) {
-      goto error;
-   }
-
-   /* store as SEQUENCE { r, s -- integer } */
-   err = der_encode_sequence_multi(out, outlen,
-                             LTC_ASN1_INTEGER, 1UL, r,
-                             LTC_ASN1_INTEGER, 1UL, s,
-                             LTC_ASN1_EOL, 0UL, NULL);
+   return _ecc_sign_hash(in, inlen, out, outlen, prng, wprng, key, 0);
+}
 
-error:
-   mp_clear_multi(r, s, NULL);
-   return err;
+/**
+  Sign a message digest in RFC7518 format
+  @param in        The message digest to sign
+  @param inlen     The length of the digest
+  @param out       [out] The destination for the signature
+  @param outlen    [in/out] The max size and resulting size of the signature
+  @param prng      An active PRNG state
+  @param wprng     The index of the PRNG you wish to use
+  @param key       A private ECC key
+  @return CRYPT_OK if successful
+*/
+int ecc_sign_hash_rfc7518(const unsigned char *in,  unsigned long inlen,
+                                unsigned char *out, unsigned long *outlen,
+                                prng_state *prng, int wprng, ecc_key *key)
+{
+   return _ecc_sign_hash(in, inlen, out, outlen, prng, wprng, key, 1);
 }
 
 #endif
+
 /* ref:         $Format:%D$ */
 /* git commit:  $Format:%H$ */
 /* commit time: $Format:%ai$ */
-

src/pk/ecc/ecc_verify_hash.c

@@ -7,51 +7,27 @@
  * guarantee it works.
  */
 
-/* Implements ECC over Z/pZ for curve y^2 = x^3 - 3x + b
- *
- * All curves taken from NIST recommendation paper of July 1999
- * Available at http://csrc.nist.gov/cryptval/dss.htm
- */
 #include "tomcrypt.h"
 
+#ifdef LTC_MECC
+
 /**
   @file ecc_verify_hash.c
   ECC Crypto, Tom St Denis
 */
 
-#ifdef LTC_MECC
-
-/* verify
- *
- * w  = s^-1 mod n
- * u1 = xw
- * u2 = rw
- * X = u1*G + u2*Q
- * v = X_x1 mod n
- * accept if v == r
- */
-
-/**
-  Verify a ECC signature
-  @param r        ECC "r" parameter
-  @param s        ECC "s" parameter
-  @param hash     The hash that was signed
-  @param hashlen  The length of the hash that was signed
-  @param stat     [out] The result of the signature verification, 1==valid, 0==invalid
-  @param key      The corresponding public DH key
-  @return CRYPT_OK if successful (even if the signature is invalid)
-*/
-int ecc_verify_hash_raw(      void   *r, void   *s,
-                        const unsigned char *hash, unsigned long hashlen,
-                        int *stat, ecc_key *key)
+static int _ecc_verify_hash(const unsigned char *sig,  unsigned long siglen,
+                            const unsigned char *hash, unsigned long hashlen,
+                            int *stat, ecc_key *key, int sigformat)
 {
    ecc_point    *mG, *mQ;
-   void          *v, *w, *u1, *u2, *e, *p, *m;
-   void          *mp = NULL;
+   void          *r, *s, *v, *w, *u1, *u2, *e, *p, *m;
+   void          *mp;
    int           err;
+   unsigned long pbits, pbytes, i, shift_right;
+   unsigned char ch, buf[MAXBLOCKSIZE];
 
-   LTC_ARGCHK(r    != NULL);
-   LTC_ARGCHK(s    != NULL);
+   LTC_ARGCHK(sig  != NULL);
    LTC_ARGCHK(hash != NULL);
    LTC_ARGCHK(stat != NULL);
    LTC_ARGCHK(key  != NULL);
@@ -66,7 +42,7 @@ int ecc_verify_hash_raw(      void   *r, void   *s,
    }
 
    /* allocate ints */
-   if ((err = mp_init_multi(&v, &w, &u1, &u2, &p, &e, &m, NULL)) != CRYPT_OK) {
+   if ((err = mp_init_multi(&r, &s, &v, &w, &u1, &u2, &p, &e, &m, NULL)) != CRYPT_OK) {
       return CRYPT_MEM;
    }
 
@@ -78,6 +54,24 @@ int ecc_verify_hash_raw(      void   *r, void   *s,
       goto error;
    }
 
+   if (sigformat == 1) {
+      /* RFC7518 format */
+      if ((siglen % 2) == 1) {
+         err = CRYPT_INVALID_PACKET;
+         goto error;
+      }
+      i = siglen / 2;
+      if ((err = mp_read_unsigned_bin(r, (unsigned char *)sig,   i)) != CRYPT_OK)                       { goto error; }
+      if ((err = mp_read_unsigned_bin(s, (unsigned char *)sig+i, i)) != CRYPT_OK)                       { goto error; }
+   }
+   else {
+      /* ASN.1 format */
+      if ((err = der_decode_sequence_multi(sig, siglen,
+                                     LTC_ASN1_INTEGER, 1UL, r,
+                                     LTC_ASN1_INTEGER, 1UL, s,
+                                     LTC_ASN1_EOL, 0UL, NULL)) != CRYPT_OK)                             { goto error; }
+   }
+
    /* get the order */
    if ((err = mp_read_radix(p, (char *)key->dp->order, 16)) != CRYPT_OK)                                { goto error; }
 
@@ -90,8 +84,24 @@ int ecc_verify_hash_raw(      void   *r, void   *s,
       goto error;
    }
 
-   /* read hash */
-   if ((err = mp_read_unsigned_bin(e, (unsigned char *)hash, (int)hashlen)) != CRYPT_OK)                { goto error; }
+   /* read hash - truncate if needed */
+   pbits = mp_count_bits(p);
+   pbytes = (pbits+7) >> 3;
+   if (pbits > hashlen*8) {
+      if ((err = mp_read_unsigned_bin(e, (unsigned char *)hash, hashlen)) != CRYPT_OK)                  { goto error; }
+   }
+   else if (pbits % 8 == 0) {
+      if ((err = mp_read_unsigned_bin(e, (unsigned char *)hash, pbytes)) != CRYPT_OK)                   { goto error; }
+   }
+   else {
+      shift_right = 8 - pbits % 8;
+      for (i=0, ch=0; i<pbytes; i++) {
+        buf[i] = ch;
+        ch = (hash[i] << (8-shift_right));
+        buf[i] = buf[i] ^ (hash[i] >> shift_right);
+      }
+      if ((err = mp_read_unsigned_bin(e, (unsigned char *)buf, pbytes)) != CRYPT_OK)                    { goto error; }
+   }
 
    /*  w  = s^-1 mod n */
    if ((err = mp_invmod(s, p, w)) != CRYPT_OK)                                                          { goto error; }
@@ -142,7 +152,7 @@ int ecc_verify_hash_raw(      void   *r, void   *s,
 error:
    ltc_ecc_del_point(mG);
    ltc_ecc_del_point(mQ);
-   mp_clear_multi(v, w, u1, u2, p, e, m, NULL);
+   mp_clear_multi(r, s, v, w, u1, u2, p, e, m, NULL);
    if (mp != NULL) {
       mp_montgomery_free(mp);
    }
@@ -159,42 +169,32 @@ error:
    @param key         The corresponding public ECC key
    @return CRYPT_OK if successful (even if the signature is not valid)
 */
-
 int ecc_verify_hash(const unsigned char *sig,  unsigned long siglen,
                     const unsigned char *hash, unsigned long hashlen,
                     int *stat, ecc_key *key)
 {
-   void          *r, *s;
-   int           err;
-
-   LTC_ARGCHK(sig  != NULL);
-   LTC_ARGCHK(hash != NULL);
-   LTC_ARGCHK(stat != NULL);
-   LTC_ARGCHK(key  != NULL);
-
-   /* allocate ints */
-   if ((err = mp_init_multi(&r, &s, NULL)) != CRYPT_OK) {
-      return CRYPT_MEM;
-   }
-
-   /* parse header */
-   if ((err = der_decode_sequence_multi(sig, siglen,
-                                  LTC_ASN1_INTEGER, 1UL, r,
-                                  LTC_ASN1_INTEGER, 1UL, s,
-                                  LTC_ASN1_EOL, 0UL, NULL)) != CRYPT_OK) {
-      goto error;
-   }
-
-   /* do the op */
-   err = ecc_verify_hash_raw(r, s, hash, hashlen, stat, key);
+   return _ecc_verify_hash(sig, siglen, hash, hashlen, stat, key, 0);
+}
 
-error:
-   mp_clear_multi(r, s, NULL);
-   return err;
+/**
+   Verify an ECC signature in RFC7518 format
+   @param sig         The signature to verify
+   @param siglen      The length of the signature (octets)
+   @param hash        The hash (message digest) that was signed
+   @param hashlen     The length of the hash (octets)
+   @param stat        Result of signature, 1==valid, 0==invalid
+   @param key         The corresponding public ECC key
+   @return CRYPT_OK if successful (even if the signature is not valid)
+*/
+int ecc_verify_hash_rfc7518(const unsigned char *sig,  unsigned long siglen,
+                            const unsigned char *hash, unsigned long hashlen,
+                            int *stat, ecc_key *key)
+{
+   return _ecc_verify_hash(sig, siglen, hash, hashlen, stat, key, 1);
 }
 
 #endif
+
 /* ref:         $Format:%D$ */
 /* git commit:  $Format:%H$ */
 /* commit time: $Format:%ai$ */
-

tests/ecc_test.c

@@ -230,6 +230,19 @@ int ecc_tests (void)
         fprintf(stderr, "ecc_verify_hash failed %d, %d, ", stat, stat2);
         return 1;
      }
+     /* test sign_hash_rfc7518 */
+     for (ch = 0; ch < 16; ch++) {
+        buf[0][ch] = ch;
+     }
+     x = sizeof (buf[1]);
+     DO(ecc_sign_hash_rfc7518(buf[0], 16, buf[1], &x, &yarrow_prng, find_prng ("yarrow"), &privKey));
+     DO(ecc_verify_hash_rfc7518(buf[1], x, buf[0], 16, &stat, &pubKey));
+     buf[0][0] ^= 1;
+     DO(ecc_verify_hash_rfc7518(buf[1], x, buf[0], 16, &stat2, &privKey));
+     if (!(stat == 1 && stat2 == 0)) {
+        fprintf(stderr, "ecc_verify_hash_rfc7518 failed %d, %d, ", stat, stat2);
+        return 1;
+     }
      ecc_free (&usera);
      ecc_free (&pubKey);
      ecc_free (&privKey);