Mercurial > dropbear

comparison ecdsa.c @ 910:89555751c489 asm

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
merge up to 2013.63, improve ASM makefile rules a bit
author Matt Johnston <matt@ucc.asn.au>
date Thu, 27 Feb 2014 21:35:58 +0800
parents c19acba28590
children c0b1b7eb5c84
comparison
equal deleted inserted replaced
909:e4b75744acab 910:89555751c489
1 #include "options.h"
2 #include "includes.h"
3 #include "dbutil.h"
4 #include "crypto_desc.h"
5 #include "ecc.h"
6 #include "ecdsa.h"
7 #include "signkey.h"
8
9 #ifdef DROPBEAR_ECDSA
10
11 int signkey_is_ecdsa(enum signkey_type type)
12 {
13 return type == DROPBEAR_SIGNKEY_ECDSA_NISTP256
14 || type == DROPBEAR_SIGNKEY_ECDSA_NISTP384
15 || type == DROPBEAR_SIGNKEY_ECDSA_NISTP521;
16 }
17
18 enum signkey_type ecdsa_signkey_type(ecc_key * key) {
19 #ifdef DROPBEAR_ECC_256
20 if (key->dp == ecc_curve_nistp256.dp) {
21 return DROPBEAR_SIGNKEY_ECDSA_NISTP256;
22 }
23 #endif
24 #ifdef DROPBEAR_ECC_384
25 if (key->dp == ecc_curve_nistp384.dp) {
26 return DROPBEAR_SIGNKEY_ECDSA_NISTP384;
27 }
28 #endif
29 #ifdef DROPBEAR_ECC_521
30 if (key->dp == ecc_curve_nistp521.dp) {
31 return DROPBEAR_SIGNKEY_ECDSA_NISTP521;
32 }
33 #endif
34 return DROPBEAR_SIGNKEY_NONE;
35 }
36
37 ecc_key *gen_ecdsa_priv_key(unsigned int bit_size) {
38 const ltc_ecc_set_type *dp = NULL; /* curve domain parameters */
39 ecc_key *new_key = NULL;
40 switch (bit_size) {
41 #ifdef DROPBEAR_ECC_256
42 case 256:
43 dp = ecc_curve_nistp256.dp;
44 break;
45 #endif
46 #ifdef DROPBEAR_ECC_384
47 case 384:
48 dp = ecc_curve_nistp384.dp;
49 break;
50 #endif
51 #ifdef DROPBEAR_ECC_521
52 case 521:
53 dp = ecc_curve_nistp521.dp;
54 break;
55 #endif
56 }
57 if (!dp) {
58 dropbear_exit("Key size %d isn't valid. Try "
59 #ifdef DROPBEAR_ECC_256
60 "256 "
61 #endif
62 #ifdef DROPBEAR_ECC_384
63 "384 "
64 #endif
65 #ifdef DROPBEAR_ECC_521
66 "521 "
67 #endif
68 , bit_size);
69 }
70
71 new_key = m_malloc(sizeof(*new_key));
72 if (ecc_make_key_ex(NULL, dropbear_ltc_prng, new_key, dp) != CRYPT_OK) {
73 dropbear_exit("ECC error");
74 }
75 return new_key;
76 }
77
78 ecc_key *buf_get_ecdsa_pub_key(buffer* buf) {
79 unsigned char *key_ident = NULL, *identifier = NULL;
80 unsigned int key_ident_len, identifier_len;
81 buffer *q_buf = NULL;
82 struct dropbear_ecc_curve **curve;
83 ecc_key *new_key = NULL;
84
85 /* string "ecdsa-sha2-[identifier]" */
86 key_ident = buf_getstring(buf, &key_ident_len);
87 /* string "[identifier]" */
88 identifier = buf_getstring(buf, &identifier_len);
89
90 if (key_ident_len != identifier_len + strlen("ecdsa-sha2-")) {
91 TRACE(("Bad identifier lengths"))
92 goto out;
93 }
94 if (memcmp(&key_ident[strlen("ecdsa-sha2-")], identifier, identifier_len) != 0) {
95 TRACE(("mismatching identifiers"))
96 goto out;
97 }
98
99 for (curve = dropbear_ecc_curves; *curve; curve++) {
100 if (memcmp(identifier, (char*)(*curve)->name, strlen((char*)(*curve)->name)) == 0) {
101 break;
102 }
103 }
104 if (!*curve) {
105 TRACE(("couldn't match ecc curve"))
106 goto out;
107 }
108
109 /* string Q */
110 q_buf = buf_getstringbuf(buf);
111 new_key = buf_get_ecc_raw_pubkey(q_buf, *curve);
112
113 out:
114 m_free(key_ident);
115 m_free(identifier);
116 if (q_buf) {
117 buf_free(q_buf);
118 q_buf = NULL;
119 }
120 TRACE(("leave buf_get_ecdsa_pub_key"))
121 return new_key;
122 }
123
124 ecc_key *buf_get_ecdsa_priv_key(buffer *buf) {
125 ecc_key *new_key = NULL;
126 TRACE(("enter buf_get_ecdsa_priv_key"))
127 new_key = buf_get_ecdsa_pub_key(buf);
128 if (!new_key) {
129 return NULL;
130 }
131
132 if (buf_getmpint(buf, new_key->k) != DROPBEAR_SUCCESS) {
133 ecc_free(new_key);
134 return NULL;
135 }
136
137 return new_key;
138 }
139
140 void buf_put_ecdsa_pub_key(buffer *buf, ecc_key *key) {
141 struct dropbear_ecc_curve *curve = NULL;
142 unsigned char key_ident[30];
143
144 curve = curve_for_dp(key->dp);
145 snprintf((char*)key_ident, sizeof(key_ident), "ecdsa-sha2-%s", curve->name);
146 buf_putstring(buf, key_ident, strlen(key_ident));
147 buf_putstring(buf, curve->name, strlen(curve->name));
148 buf_put_ecc_raw_pubkey_string(buf, key);
149 }
150
151 void buf_put_ecdsa_priv_key(buffer *buf, ecc_key *key) {
152 buf_put_ecdsa_pub_key(buf, key);
153 buf_putmpint(buf, key->k);
154 }
155
156 void buf_put_ecdsa_sign(buffer *buf, ecc_key *key, buffer *data_buf) {
157 /* Based on libtomcrypt's ecc_sign_hash but without the asn1 */
158 int err = DROPBEAR_FAILURE;
159 struct dropbear_ecc_curve *curve = NULL;
160 hash_state hs;
161 unsigned char hash[64];
162 void *e = NULL, *p = NULL, *s = NULL, *r;
163 unsigned char key_ident[30];
164 buffer *sigbuf = NULL;
165
166 TRACE(("buf_put_ecdsa_sign"))
167 curve = curve_for_dp(key->dp);
168
169 if (ltc_init_multi(&r, &s, &p, &e, NULL) != CRYPT_OK) {
170 goto out;
171 }
172
173 curve->hash_desc->init(&hs);
174 curve->hash_desc->process(&hs, data_buf->data, data_buf->len);
175 curve->hash_desc->done(&hs, hash);
176
177 if (ltc_mp.unsigned_read(e, hash, curve->hash_desc->hashsize) != CRYPT_OK) {
178 goto out;
179 }
180
181 if (ltc_mp.read_radix(p, (char *)key->dp->order, 16) != CRYPT_OK) {
182 goto out;
183 }
184
185 for (;;) {
186 ecc_key R_key; /* ephemeral key */
187 if (ecc_make_key_ex(NULL, dropbear_ltc_prng, &R_key, key->dp) != CRYPT_OK) {
188 goto out;
189 }
190 if (ltc_mp.mpdiv(R_key.pubkey.x, p, NULL, r) != CRYPT_OK) {
191 goto out;
192 }
193 if (ltc_mp.compare_d(r, 0) == LTC_MP_EQ) {
194 /* try again */
195 ecc_free(&R_key);
196 continue;
197 }
198 /* k = 1/k */
199 if (ltc_mp.invmod(R_key.k, p, R_key.k) != CRYPT_OK) {
200 goto out;
201 }
202 /* s = xr */
203 if (ltc_mp.mulmod(key->k, r, p, s) != CRYPT_OK) {
204 goto out;
205 }
206 /* s = e + xr */
207 if (ltc_mp.add(e, s, s) != CRYPT_OK) {
208 goto out;
209 }
210 if (ltc_mp.mpdiv(s, p, NULL, s) != CRYPT_OK) {
211 goto out;
212 }
213 /* s = (e + xr)/k */
214 if (ltc_mp.mulmod(s, R_key.k, p, s) != CRYPT_OK) {
215 goto out;
216 }
217 ecc_free(&R_key);
218
219 if (ltc_mp.compare_d(s, 0) != LTC_MP_EQ) {
220 break;
221 }
222 }
223
224 snprintf((char*)key_ident, sizeof(key_ident), "ecdsa-sha2-%s", curve->name);
225 buf_putstring(buf, key_ident, strlen(key_ident));
226 /* enough for nistp521 */
227 sigbuf = buf_new(200);
228 buf_putmpint(sigbuf, (mp_int*)r);
229 buf_putmpint(sigbuf, (mp_int*)s);
230 buf_putbufstring(buf, sigbuf);
231
232 err = DROPBEAR_SUCCESS;
233
234 out:
235 if (r && s && p && e) {
236 ltc_deinit_multi(r, s, p, e, NULL);
237 }
238
239 if (sigbuf) {
240 buf_free(sigbuf);
241 }
242
243 if (err == DROPBEAR_FAILURE) {
244 dropbear_exit("ECC error");
245 }
246 }
247
248 /* returns values in s and r
249 returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE */
250 static int buf_get_ecdsa_verify_params(buffer *buf,
251 void *r, void* s) {
252 int ret = DROPBEAR_FAILURE;
253 unsigned int sig_len;
254 unsigned int sig_pos;
255
256 sig_len = buf_getint(buf);
257 sig_pos = buf->pos;
258 if (buf_getmpint(buf, r) != DROPBEAR_SUCCESS) {
259 goto out;
260 }
261 if (buf_getmpint(buf, s) != DROPBEAR_SUCCESS) {
262 goto out;
263 }
264 if (buf->pos - sig_pos != sig_len) {
265 goto out;
266 }
267 ret = DROPBEAR_SUCCESS;
268
269 out:
270 return ret;
271 }
272
273
274 int buf_ecdsa_verify(buffer *buf, ecc_key *key, buffer *data_buf) {
275 /* Based on libtomcrypt's ecc_verify_hash but without the asn1 */
276 int ret = DROPBEAR_FAILURE;
277 hash_state hs;
278 struct dropbear_ecc_curve *curve = NULL;
279 unsigned char hash[64];
280 ecc_point *mG = NULL, *mQ = NULL;
281 void *r = NULL, *s = NULL, *v = NULL, *w = NULL, *u1 = NULL, *u2 = NULL,
282 *e = NULL, *p = NULL, *m = NULL;
283 void *mp = NULL;
284
285 /* verify
286 *
287 * w = s^-1 mod n
288 * u1 = xw
289 * u2 = rw
290 * X = u1*G + u2*Q
291 * v = X_x1 mod n
292 * accept if v == r
293 */
294
295 TRACE(("buf_ecdsa_verify"))
296 curve = curve_for_dp(key->dp);
297
298 mG = ltc_ecc_new_point();
299 mQ = ltc_ecc_new_point();
300 if (ltc_init_multi(&r, &s, &v, &w, &u1, &u2, &p, &e, &m, NULL) != CRYPT_OK
301 || !mG
302 || !mQ) {
303 dropbear_exit("ECC error");
304 }
305
306 if (buf_get_ecdsa_verify_params(buf, r, s) != DROPBEAR_SUCCESS) {
307 goto out;
308 }
309
310 curve->hash_desc->init(&hs);
311 curve->hash_desc->process(&hs, data_buf->data, data_buf->len);
312 curve->hash_desc->done(&hs, hash);
313
314 if (ltc_mp.unsigned_read(e, hash, curve->hash_desc->hashsize) != CRYPT_OK) {
315 goto out;
316 }
317
318 /* get the order */
319 if (ltc_mp.read_radix(p, (char *)key->dp->order, 16) != CRYPT_OK) {
320 goto out;
321 }
322
323 /* get the modulus */
324 if (ltc_mp.read_radix(m, (char *)key->dp->prime, 16) != CRYPT_OK) {
325 goto out;
326 }
327
328 /* check for zero */
329 if (ltc_mp.compare_d(r, 0) == LTC_MP_EQ
330 || ltc_mp.compare_d(s, 0) == LTC_MP_EQ
331 || ltc_mp.compare(r, p) != LTC_MP_LT
332 || ltc_mp.compare(s, p) != LTC_MP_LT) {
333 goto out;
334 }
335
336 /* w = s^-1 mod n */
337 if (ltc_mp.invmod(s, p, w) != CRYPT_OK) {
338 goto out;
339 }
340
341 /* u1 = ew */
342 if (ltc_mp.mulmod(e, w, p, u1) != CRYPT_OK) {
343 goto out;
344 }
345
346 /* u2 = rw */
347 if (ltc_mp.mulmod(r, w, p, u2) != CRYPT_OK) {
348 goto out;
349 }
350
351 /* find mG and mQ */
352 if (ltc_mp.read_radix(mG->x, (char *)key->dp->Gx, 16) != CRYPT_OK) {
353 goto out;
354 }
355 if (ltc_mp.read_radix(mG->y, (char *)key->dp->Gy, 16) != CRYPT_OK) {
356 goto out;
357 }
358 if (ltc_mp.set_int(mG->z, 1) != CRYPT_OK) {
359 goto out;
360 }
361
362 if (ltc_mp.copy(key->pubkey.x, mQ->x) != CRYPT_OK
363 || ltc_mp.copy(key->pubkey.y, mQ->y) != CRYPT_OK
364 || ltc_mp.copy(key->pubkey.z, mQ->z) != CRYPT_OK) {
365 goto out;
366 }
367
368 /* compute u1*mG + u2*mQ = mG */
369 if (ltc_mp.ecc_mul2add == NULL) {
370 if (ltc_mp.ecc_ptmul(u1, mG, mG, m, 0) != CRYPT_OK) {
371 goto out;
372 }
373 if (ltc_mp.ecc_ptmul(u2, mQ, mQ, m, 0) != CRYPT_OK) {
374 goto out;
375 }
376
377 /* find the montgomery mp */
378 if (ltc_mp.montgomery_setup(m, &mp) != CRYPT_OK) {
379 goto out;
380 }
381
382 /* add them */
383 if (ltc_mp.ecc_ptadd(mQ, mG, mG, m, mp) != CRYPT_OK) {
384 goto out;
385 }
386
387 /* reduce */
388 if (ltc_mp.ecc_map(mG, m, mp) != CRYPT_OK) {
389 goto out;
390 }
391 } else {
392 /* use Shamir's trick to compute u1*mG + u2*mQ using half of the doubles */
393 if (ltc_mp.ecc_mul2add(mG, u1, mQ, u2, mG, m) != CRYPT_OK) {
394 goto out;
395 }
396 }
397
398 /* v = X_x1 mod n */
399 if (ltc_mp.mpdiv(mG->x, p, NULL, v) != CRYPT_OK) {
400 goto out;
401 }
402
403 /* does v == r */
404 if (ltc_mp.compare(v, r) == LTC_MP_EQ) {
405 ret = DROPBEAR_SUCCESS;
406 }
407
408 out:
409 ltc_ecc_del_point(mG);
410 ltc_ecc_del_point(mQ);
411 mp_clear_multi(r, s, v, w, u1, u2, p, e, m, NULL);
412 if (mp != NULL) {
413 ltc_mp.montgomery_deinit(mp);
414 }
415 return ret;
416 }
417
418
419
420 #endif /* DROPBEAR_ECDSA */