dropbear: src/pk/ecc/ecc_sys.c comparison

comparison src/pk/ecc/ecc_sys.c @ 209:39d5d58461d6 libtomcrypt-orig LTC_1.05

Import of libtomcrypt 1.05

author	Matt Johnston <matt@ucc.asn.au>
date	Wed, 06 Jul 2005 03:53:40 +0000
parents	1c15b283127b
children

comparison

equal deleted inserted replaced

-:1c15b283127b
+:39d5d58461d6
 prng_state *prng, int wprng, int hash,
 ecc_key *key)
 {
 unsigned char *pub_expt, *ecc_shared, *skey;
 ecc_key        pubkey;
-unsigned long  x, y, z, hashsize, pubkeysize;
+unsigned long  x, y, pubkeysize;
 int            err;
 LTC_ARGCHK(in      != NULL);
 LTC_ARGCHK(out     != NULL);
 LTC_ARGCHK(outlen  != NULL);
 if ((err = ecc_export(pub_expt, &pubkeysize, PK_PUBLIC, &pubkey)) != CRYPT_OK) {
 ecc_free(&pubkey);
 goto LBL_ERR;
 }
-/* now check if the out buffer is big enough */
-if (*outlen < (9 + PACKET_SIZE + pubkeysize + hash_descriptor[hash].hashsize)) {
-ecc_free(&pubkey);
-err = CRYPT_BUFFER_OVERFLOW;
-goto LBL_ERR;
-}
 /* make random key */
-hashsize  = hash_descriptor[hash].hashsize;
+x        = ECC_BUF_SIZE;
-x = ECC_BUF_SIZE;
 if ((err = ecc_shared_secret(&pubkey, key, ecc_shared, &x)) != CRYPT_OK) {
 ecc_free(&pubkey);
 goto LBL_ERR;
 }
 ecc_free(&pubkey);
-z = MAXBLOCKSIZE;
+y = MAXBLOCKSIZE;
-if ((err = hash_memory(hash, ecc_shared, x, skey, &z)) != CRYPT_OK) {
+if ((err = hash_memory(hash, ecc_shared, x, skey, &y)) != CRYPT_OK) {
 goto LBL_ERR;
 }
-/* store header */
+/* Encrypt key */
-packet_store_header(out, PACKET_SECT_ECC, PACKET_SUB_ENC_KEY);
+for (x = 0; x < inlen; x++) {
+skey[x] ^= in[x];
-/* output header */
+}
-y = PACKET_SIZE;
+err = der_encode_sequence_multi(out, outlen,
-/* size of hash name and the name itself */
+LTC_ASN1_OBJECT_IDENTIFIER,  hash_descriptor[hash].OIDlen,   hash_descriptor[hash].OID,
-out[y++] = hash_descriptor[hash].ID;
+LTC_ASN1_OCTET_STRING,       pubkeysize,                     pub_expt,
+LTC_ASN1_OCTET_STRING,       inlen,                          skey,
-/* length of ECC pubkey and the key itself */
+LTC_ASN1_EOL,                0UL,                            NULL);
-STORE32L(pubkeysize, out+y);
-y += 4;
-for (x = 0; x < pubkeysize; x++, y++) {
-out[y] = pub_expt[x];
-}
-STORE32L(inlen, out+y);
-y += 4;
-/* Encrypt/Store the encrypted key */
-for (x = 0; x < inlen; x++, y++) {
-out[y] = skey[x] ^ in[x];
-}
-*outlen = y;
-err = CRYPT_OK;
 LBL_ERR:
 #ifdef LTC_CLEAN_STACK
 /* clean up */
 zeromem(pub_expt,   ECC_BUF_SIZE);
 zeromem(ecc_shared, ECC_BUF_SIZE);
 */
 int ecc_decrypt_key(const unsigned char *in,  unsigned long  inlen,
 unsigned char *out, unsigned long *outlen,
 ecc_key *key)
 {
-unsigned char *shared_secret, *skey;
+unsigned char *ecc_shared, *skey, *pub_expt;
-unsigned long  x, y, z, hashsize, keysize;
+unsigned long  x, y, hashOID[32];
 int            hash, err;
 ecc_key        pubkey;
+ltc_asn1_list  decode[3];
 LTC_ARGCHK(in     != NULL);
 LTC_ARGCHK(out    != NULL);
 LTC_ARGCHK(outlen != NULL);
 LTC_ARGCHK(key    != NULL);
 /* right key type? */
 if (key->type != PK_PRIVATE) {
 return CRYPT_PK_NOT_PRIVATE;
 }
-/* correct length ? */
+/* decode to find out hash */
-if (inlen < PACKET_SIZE+1+4+4) {
+LTC_SET_ASN1(decode, 0, LTC_ASN1_OBJECT_IDENTIFIER, hashOID, sizeof(hashOID)/sizeof(hashOID[0]));
+if ((err = der_decode_sequence(in, inlen, decode, 1)) != CRYPT_OK) {
+return err;
+}
+for (hash = 0; hash_descriptor[hash].name   != NULL             &&
+(hash_descriptor[hash].OIDlen != decode[0].size   ||
+memcmp(hash_descriptor[hash].OID, hashOID, sizeof(unsigned long)*decode[0].size)); hash++);
+if (hash_descriptor[hash].name == NULL) {
 return CRYPT_INVALID_PACKET;
-} else {
+}
-inlen -= PACKET_SIZE+1+4+4;
-}
+/* we now have the hash! */
-/* is header correct? */
-if ((err = packet_valid_header((unsigned char *)in, PACKET_SECT_ECC, PACKET_SUB_ENC_KEY)) != CRYPT_OK) {
-return err;
-}
-/* now lets get the hash name */
-y = PACKET_SIZE;
-hash = find_hash_id(in[y++]);
-if (hash == -1) {
-return CRYPT_INVALID_HASH;
-}
-/* common values */
-hashsize  = hash_descriptor[hash].hashsize;
-/* get public key */
-LOAD32L(x, in+y);
-if (inlen < x) {
-return CRYPT_INVALID_PACKET;
-} else {
-inlen -= x;
-}
-y += 4;
-if ((err = ecc_import(in+y, x, &pubkey)) != CRYPT_OK) {
-return err;
-}
-y += x;
 /* allocate memory */
-shared_secret = XMALLOC(ECC_BUF_SIZE);
+pub_expt   = XMALLOC(ECC_BUF_SIZE);
-skey          = XMALLOC(MAXBLOCKSIZE);
+ecc_shared = XMALLOC(ECC_BUF_SIZE);
-if (shared_secret == NULL || skey == NULL) {
+skey       = XMALLOC(MAXBLOCKSIZE);
-if (shared_secret != NULL) {
+if (pub_expt == NULL || ecc_shared == NULL || skey == NULL) {
-XFREE(shared_secret);
+if (pub_expt != NULL) {
+XFREE(pub_expt);
+}
+if (ecc_shared != NULL) {
+XFREE(ecc_shared);
 }
 if (skey != NULL) {
 XFREE(skey);
 }
-ecc_free(&pubkey);
 return CRYPT_MEM;
+}
+LTC_SET_ASN1(decode, 1, LTC_ASN1_OCTET_STRING,      pub_expt,  ECC_BUF_SIZE);
+LTC_SET_ASN1(decode, 2, LTC_ASN1_OCTET_STRING,      skey,      MAXBLOCKSIZE);
+/* read the structure in now */
+if ((err = der_decode_sequence(in, inlen, decode, 3)) != CRYPT_OK) {
+goto LBL_ERR;
+}
+/* import ECC key from packet */
+if ((err = ecc_import(decode[1].data, decode[1].size, &pubkey)) != CRYPT_OK) {
+goto LBL_ERR;
 }
 /* make shared key */
 x = ECC_BUF_SIZE;
-if ((err = ecc_shared_secret(key, &pubkey, shared_secret, &x)) != CRYPT_OK) {
+if ((err = ecc_shared_secret(key, &pubkey, ecc_shared, &x)) != CRYPT_OK) {
 ecc_free(&pubkey);
 goto LBL_ERR;
 }
 ecc_free(&pubkey);
-z = MAXBLOCKSIZE;
+y = MAXBLOCKSIZE;
-if ((err = hash_memory(hash, shared_secret, x, skey, &z)) != CRYPT_OK) {
+if ((err = hash_memory(hash, ecc_shared, x, ecc_shared, &y)) != CRYPT_OK) {
 goto LBL_ERR;
 }
-LOAD32L(keysize, in+y);
+/* ensure the hash of the shared secret is at least as big as the encrypt itself */
-if (inlen < keysize) {
+if (decode[2].size > y) {
 err = CRYPT_INVALID_PACKET;
 goto LBL_ERR;
-} else {
+}
-inlen -= keysize;
-}
+/* avoid buffer overflow */
-y += 4;
+if (*outlen < decode[2].size) {
+err = CRYPT_BUFFER_OVERFLOW;
-if (*outlen < keysize) {
+goto LBL_ERR;
-err = CRYPT_BUFFER_OVERFLOW;
-goto LBL_ERR;
 }
 /* Decrypt the key */
-for (x = 0; x < keysize; x++, y++) {
+for (x = 0; x < decode[2].size; x++) {
-out[x] = skey[x] ^ in[y];
+out[x] = skey[x] ^ ecc_shared[x];
 }
+*outlen = x;
-*outlen = keysize;
 err = CRYPT_OK;
 LBL_ERR:
 #ifdef LTC_CLEAN_STACK
-zeromem(shared_secret, ECC_BUF_SIZE);
+zeromem(pub_expt,   ECC_BUF_SIZE);
-zeromem(skey,          MAXBLOCKSIZE);
+zeromem(ecc_shared, ECC_BUF_SIZE);
+zeromem(skey,       MAXBLOCKSIZE);
 #endif
+XFREE(pub_expt);
+XFREE(ecc_shared);
 XFREE(skey);
-XFREE(shared_secret);
 return err;
 }
 /**
 int ecc_sign_hash(const unsigned char *in,  unsigned long inlen,
 unsigned char *out, unsigned long *outlen,
 prng_state *prng, int wprng, ecc_key *key)
 {
 ecc_key       pubkey;
-mp_int        b, p;
+mp_int        r, s, e, p;
-unsigned char *epubkey, *er;
-unsigned long x, y, pubkeysize, rsize;
 int           err;
 LTC_ARGCHK(in     != NULL);
 LTC_ARGCHK(out    != NULL);
 LTC_ARGCHK(outlen != NULL);
 if ((err = prng_is_valid(wprng)) != CRYPT_OK) {
 return err;
 }
-/* make up a key and export the public copy */
+/* get the hash and load it as a bignum into 'e' */
-if ((err = ecc_make_key(prng, wprng, ecc_get_size(key), &pubkey)) != CRYPT_OK) {
-return err;
-}
-/* allocate ram */
-epubkey = XMALLOC(ECC_BUF_SIZE);
-er      = XMALLOC(ECC_BUF_SIZE);
-if (epubkey == NULL || er == NULL) {
-if (epubkey != NULL) {
-XFREE(epubkey);
-}
-if (er != NULL) {
-XFREE(er);
-}
-ecc_free(&pubkey);
-return CRYPT_MEM;
-}
-pubkeysize = ECC_BUF_SIZE;
-if ((err = ecc_export(epubkey, &pubkeysize, PK_PUBLIC, &pubkey)) != CRYPT_OK) {
-ecc_free(&pubkey);
-goto LBL_ERR;
-}
-/* get the hash and load it as a bignum into 'b' */
 /* init the bignums */
-if ((err = mp_init_multi(&b, &p, NULL)) != MP_OKAY) {
+if ((err = mp_init_multi(&r, &s, &p, &e, NULL)) != MP_OKAY) {
 ecc_free(&pubkey);
 err = mpi_to_ltc_error(err);
 goto LBL_ERR;
 }
 if ((err = mp_read_radix(&p, (char *)sets[key->idx].order, 64)) != MP_OKAY)        { goto error; }
-if ((err = mp_read_unsigned_bin(&b, (unsigned char *)in, (int)inlen)) != MP_OKAY)  { goto error; }
+if ((err = mp_read_unsigned_bin(&e, (unsigned char *)in, (int)inlen)) != MP_OKAY)  { goto error; }
-/* find b = (m - x)/k */
+/* make up a key and export the public copy */
-if ((err = mp_invmod(&pubkey.k, &p, &pubkey.k)) != MP_OKAY)            { goto error; } /* k = 1/k */
+for (;;) {
-if ((err = mp_submod(&b, &key->k, &p, &b)) != MP_OKAY)                 { goto error; } /* b = m - x */
+if ((err = ecc_make_key(prng, wprng, ecc_get_size(key), &pubkey)) != CRYPT_OK) {
-if ((err = mp_mulmod(&b, &pubkey.k, &p, &b)) != MP_OKAY)               { goto error; } /* b = (m - x)/k */
+return err;
+}
-/* export it */
-rsize = (unsigned long)mp_unsigned_bin_size(&b);
+/* find r = x1 mod n */
-if (rsize > ECC_BUF_SIZE) {
+if ((err = mp_mod(&pubkey.pubkey.x, &p, &r)) != MP_OKAY)                           { goto error; }
-err = CRYPT_BUFFER_OVERFLOW;
-goto error;
+if (mp_iszero(&r)) {
-}
+ecc_free(&pubkey);
-if ((err = mp_to_unsigned_bin(&b, er)) != MP_OKAY)                     { goto error; }
+} else {
+/* find s = (e + xr)/k */
-/* now lets check the outlen before we write */
+if ((err = mp_invmod(&pubkey.k, &p, &pubkey.k)) != MP_OKAY)            { goto error; } /* k = 1/k */
-if (*outlen < (12 + rsize + pubkeysize)) {
+if ((err = mp_mulmod(&key->k, &r, &p, &s)) != MP_OKAY)                 { goto error; } /* s = xr */
-err = CRYPT_BUFFER_OVERFLOW;
+if ((err = mp_addmod(&e, &s, &p, &s)) != MP_OKAY)                      { goto error; } /* s = e +  xr */
-goto LBL_ERR;
+if ((err = mp_mulmod(&s, &pubkey.k, &p, &s)) != MP_OKAY)               { goto error; } /* s = (e + xr)/k */
-}
+if (mp_iszero(&s)) {
-/* lets output */
+ecc_free(&pubkey);
-y = PACKET_SIZE;
+} else {
+break;
-/* size of public key */
+}
-STORE32L(pubkeysize, out+y);
+}
-y += 4;
+}
-/* copy the public key */
+/* store as SEQUENCE { r, s -- integer } */
-for (x = 0; x < pubkeysize; x++, y++) {
+err = der_encode_sequence_multi(out, outlen,
-out[y] = epubkey[x];
+LTC_ASN1_INTEGER, 1UL, &r,
-}
+LTC_ASN1_INTEGER, 1UL, &s,
+LTC_ASN1_EOL, 0UL, NULL);
-/* size of 'r' */
-STORE32L(rsize, out+y);
-y += 4;
-/* copy r */
-for (x = 0; x < rsize; x++, y++) {
-out[y] = er[x];
-}
-/* store header */
-packet_store_header(out, PACKET_SECT_ECC, PACKET_SUB_SIGNED);
-*outlen = y;
-/* all ok */
-err = CRYPT_OK;
 goto LBL_ERR;
 error:
 err = mpi_to_ltc_error(err);
 LBL_ERR:
-mp_clear_multi(&b, &p, NULL);
+mp_clear_multi(&r, &s, &p, &e, NULL);
 ecc_free(&pubkey);
-#ifdef LTC_CLEAN_STACK
-zeromem(er,      ECC_BUF_SIZE);
-zeromem(epubkey, ECC_BUF_SIZE);
-#endif
-XFREE(epubkey);
-XFREE(er);
 return err;
 }
-/* verify that mG = (bA + Y)
+/* verify
 *
-* The signatures work by making up a fresh key "a" with a public key "A".  Now we want to sign so the
+* w  = s^-1 mod n
-* public key Y = xG can verify it.
+* u1 = xw
-*
+* u2 = rw
-* b = (m - x)/k, A is the public key embedded and Y is the users public key [who signed it]
+* X = u1*G + u2*Q
-* A = kG therefore bA == ((m-x)/k)kG == (m-x)G
+* v = X_x1 mod n
-*
+* accept if v == r
-* Adding Y = xG to the bA gives us (m-x)G + xG == mG
-*
-* The user given only xG, kG and b cannot determine k or x which means they can't find the private key.
-*
 */
 /**
 Verify an ECC signature
 @param sig         The signature to verify
 */
 int ecc_verify_hash(const unsigned char *sig,  unsigned long siglen,
 const unsigned char *hash, unsigned long hashlen,
 int *stat, ecc_key *key)
 {
-ecc_point    *mG;
+ecc_point    *mG, *mQ;
-ecc_key       pubkey;
+mp_int        r, s, v, w, u1, u2, e, p, m;
-mp_int        b, p, m, mu;
+mp_digit      mp;
-unsigned long x, y;
 int           err;
 LTC_ARGCHK(sig  != NULL);
 LTC_ARGCHK(hash != NULL);
 LTC_ARGCHK(stat != NULL);
 LTC_ARGCHK(key  != NULL);
 /* default to invalid signature */
 *stat = 0;
-if (siglen < PACKET_SIZE+4+4) {
+/* is the IDX valid ?  */
-return CRYPT_INVALID_PACKET;
+if (is_valid_idx(key->idx) != 1) {
-} else {
+return CRYPT_PK_INVALID_TYPE;
-siglen -= PACKET_SIZE+4+4;
+}
-}
+/* allocate ints */
-/* is the message format correct? */
+if ((err = mp_init_multi(&r, &s, &v, &w, &u1, &u2, &p, &e, &m, NULL)) != MP_OKAY) {
-if ((err = packet_valid_header((unsigned char *)sig, PACKET_SECT_ECC, PACKET_SUB_SIGNED)) != CRYPT_OK) {
+return CRYPT_MEM;
-return err;
+}
-}
+/* allocate points */
-/* get hash name */
-y = PACKET_SIZE;
-/* get size of public key */
-LOAD32L(x, sig+y);
-if (siglen < x) {
-return CRYPT_INVALID_PACKET;
-} else {
-siglen -= x;
-}
-y += 4;
-/* load the public key */
-if ((err = ecc_import((unsigned char*)sig+y, x, &pubkey)) != CRYPT_OK) {
-return err;
-}
-y += x;
-/* load size of 'b' */
-LOAD32L(x, sig+y);
-if (siglen < x) {
-return CRYPT_INVALID_PACKET;
-} else {
-siglen -= x;
-}
-y += 4;
-/* init values */
-if ((err = mp_init_multi(&b, &m, &p, &mu, NULL)) != MP_OKAY) {
-ecc_free(&pubkey);
-return mpi_to_ltc_error(err);
-}
 mG = new_point();
-if (mG == NULL) {
+mQ = new_point();
-mp_clear_multi(&b, &m, &p, &mu, NULL);
+if (mQ  == NULL || mG == NULL) {
-ecc_free(&pubkey);
+err = CRYPT_MEM;
-return CRYPT_MEM;
+goto done;
 }
-/* load b */
+/* parse header */
-if ((err = mp_read_unsigned_bin(&b, (unsigned char *)sig+y, (int)x)) != MP_OKAY)        { goto error; }
+if ((err = der_decode_sequence_multi(sig, siglen,
-y += x;
+LTC_ASN1_INTEGER, 1UL, &r,
+LTC_ASN1_INTEGER, 1UL, &s,
-/* get m in binary a bignum */
+LTC_ASN1_EOL, 0UL, NULL)) != CRYPT_OK) {
-if ((err = mp_read_unsigned_bin(&m, (unsigned char *)hash, (int)hashlen)) != MP_OKAY)   { goto error; }
+goto done;
+}
-/* load prime */
-if ((err = mp_read_radix(&p, (char *)sets[key->idx].prime, 64)) != MP_OKAY)             { goto error; }
+/* get the order */
+if ((err = mp_read_radix(&p, (char *)sets[key->idx].order, 64)) != MP_OKAY)                  { goto error; }
-/* calculate barrett stuff */
-mp_set(&mu, 1);
+/* get the modulus */
-mp_lshd(&mu, 2 * USED(&p));
+if ((err = mp_read_radix(&m, (char *)sets[key->idx].prime, 64)) != MP_OKAY)                  { goto error; }
-if ((err = mp_div(&mu, &p, &mu, NULL)) != MP_OKAY)                                      { goto error; }
+/* check for zero */
-/* get bA */
+if (mp_iszero(&r) || mp_iszero(&s) || mp_cmp(&r, &p) != MP_LT || mp_cmp(&s, &p) != MP_LT) {
-if ((err = ecc_mulmod(&b, &pubkey.pubkey, &pubkey.pubkey, &p)) != CRYPT_OK)                  { goto done; }
+err = CRYPT_INVALID_PACKET;
+goto done;
-/* get bA + Y */
+}
-if ((err = add_point(&pubkey.pubkey, &key->pubkey, &pubkey.pubkey, &p, &mu)) != CRYPT_OK)    { goto done; }
+/* read hash */
-/* we have to transform it */
+if ((err = mp_read_unsigned_bin(&e, (unsigned char *)hash, (int)hashlen)) != MP_OKAY)        { goto error; }
-if ((err = ecc_map(&pubkey.pubkey, &p, &mu)) != CRYPT_OK)                                    { goto done; }
+/*  w  = s^-1 mod n */
-/* get mG */
+if ((err = mp_invmod(&s, &p, &w)) != MP_OKAY)                                                { goto error; }
+/* u1 = ew */
+if ((err = mp_mulmod(&e, &w, &p, &u1)) != MP_OKAY)                                           { goto error; }
+/* u2 = rw */
+if ((err = mp_mulmod(&r, &w, &p, &u2)) != MP_OKAY)                                           { goto error; }
+/* find mG = u1*G */
 if ((err = mp_read_radix(&mG->x, (char *)sets[key->idx].Gx, 64)) != MP_OKAY)                 { goto error; }
 if ((err = mp_read_radix(&mG->y, (char *)sets[key->idx].Gy, 64)) != MP_OKAY)                 { goto error; }
 mp_set(&mG->z, 1);
-if ((err = ecc_mulmod(&m, mG, mG, &p)) != CRYPT_OK)                                          { goto done; }
+if ((err = ecc_mulmod(&u1, mG, mG, &m, 0)) != CRYPT_OK)                                      { goto done; }
-/* compare mG to bA + Y */
+/* find mQ = u2*Q */
-if (mp_cmp(&mG->x, &pubkey.pubkey.x) == MP_EQ && mp_cmp(&mG->y, &pubkey.pubkey.y) == MP_EQ) {
+if ((err = mp_copy(&key->pubkey.x, &mQ->x)) != MP_OKAY)                                      { goto error; }
+if ((err = mp_copy(&key->pubkey.y, &mQ->y)) != MP_OKAY)                                      { goto error; }
+if ((err = mp_copy(&key->pubkey.z, &mQ->z)) != MP_OKAY)                                      { goto error; }
+if ((err = ecc_mulmod(&u2, mQ, mQ, &m, 0)) != CRYPT_OK)                                      { goto done; }
+/* find the montgomery mp */
+if ((err = mp_montgomery_setup(&m, &mp)) != MP_OKAY)                                         { goto error; }
+/* add them */
+if ((err = add_point(mQ, mG, mG, &m, mp)) != CRYPT_OK)                                       { goto done; }
+/* reduce */
+if ((err = ecc_map(mG, &m, mp)) != CRYPT_OK)                                                 { goto done; }
+/* v = X_x1 mod n */
+if ((err = mp_mod(&mG->x, &p, &v)) != CRYPT_OK)                                              { goto done; }
+/* does v == r */
+if (mp_cmp(&v, &r) == MP_EQ) {
 *stat = 1;
 }
 /* clear up and return */
 err = CRYPT_OK;
 goto done;
 error:
 err = mpi_to_ltc_error(err);
 done:
 del_point(mG);
-ecc_free(&pubkey);
+del_point(mQ);
-mp_clear_multi(&p, &m, &b, &mu, NULL);
+mp_clear_multi(&r, &s, &v, &w, &u1, &u2, &p, &e, &m, NULL);
 return err;
 }
+/* $Source: /cvs/libtom/libtomcrypt/src/pk/ecc/ecc_sys.c,v $ */
+/* $Revision: 1.18 $ */
+/* $Date: 2005/06/14 20:47:55 $ */

Mercurial > dropbear

comparison src/pk/ecc/ecc_sys.c @ 209:39d5d58461d6 libtomcrypt-orig LTC_1.05