[thirdparty/openssl.git] / crypto / ecdsa / ecs_ossl.c

/* crypto/ecdsa/ecs_ossl.c */
/*
 * Written by Nils Larsch for the OpenSSL project
 */
/* ====================================================================
 * Copyright (c) 1998-2004 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer. 
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
 *    the documentation and/or other materials provided with the
 *    distribution.
 *
 * 3. All advertising materials mentioning features or use of this
 *    software must display the following acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
 *
 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
 *    endorse or promote products derived from this software without
 *    prior written permission. For written permission, please contact
 *    openssl-core@OpenSSL.org.
 *
 * 5. Products derived from this software may not be called "OpenSSL"
 *    nor may "OpenSSL" appear in their names without prior written
 *    permission of the OpenSSL Project.
 *
 * 6. Redistributions of any form whatsoever must retain the following
 *    acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
 *
 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 * OF THE POSSIBILITY OF SUCH DAMAGE.
 * ====================================================================
 *
 * This product includes cryptographic software written by Eric Young
 * (eay@cryptsoft.com).  This product includes software written by Tim
 * Hudson (tjh@cryptsoft.com).
 *
 */

#include "ecdsa.h"
#include <openssl/err.h>
#include <openssl/obj_mac.h>

static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dlen, 
		EC_KEY *eckey);
static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, 
		BIGNUM **rp);
static int ecdsa_do_verify(const unsigned char *dgst, int dgst_len, 
		ECDSA_SIG *sig, EC_KEY *eckey);

static ECDSA_METHOD openssl_ecdsa_meth = {
	"OpenSSL ECDSA method",
	ecdsa_do_sign,
	ecdsa_sign_setup,
	ecdsa_do_verify,
#if 0
	NULL, /* init     */
	NULL, /* finish   */
#endif
	0,    /* flags    */
	NULL  /* app_data */
};

const ECDSA_METHOD *ECDSA_OpenSSL(void)
{
	return &openssl_ecdsa_meth;
}

static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp,
		BIGNUM **rp)
{
	BN_CTX   *ctx = NULL;
	BIGNUM	 *k = NULL, *r = NULL, *order = NULL, *X = NULL;
	EC_POINT *tmp_point=NULL;
	EC_GROUP *group;
	int 	 ret = 0;
	if (!eckey  || !eckey->group || !eckey->pub_key || !eckey->priv_key)
	{
		ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_PASSED_NULL_PARAMETER);
		return 0;
	}
	group = eckey->group;

	if (ctx_in == NULL) 
	{
		if ((ctx = BN_CTX_new()) == NULL)
		{
			ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP,ERR_R_MALLOC_FAILURE);
			return 0;
		}
	}
	else
		ctx = ctx_in;

	k     = BN_new();	/* this value is later returned in *kinvp */
	r     = BN_new();	/* this value is later returned in *rp    */
	order = BN_new();
	X     = BN_new();
	if (!k || !r || !order || !X)
	{
		ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_MALLOC_FAILURE);
		goto err;
	}
	if ((tmp_point = EC_POINT_new(group)) == NULL)
	{
		ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB);
		goto err;
	}
	if (!EC_GROUP_get_order(group, order, ctx))
	{
		ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB);
		goto err;
	}
	
	do
	{
		/* get random k */	
		do
			if (!BN_rand_range(k, order))
			{
				ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP,
				 ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED);	
				goto err;
			}
		while (BN_is_zero(k));

		/* compute r the x-coordinate of generator * k */
		if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx))
		{
			ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB);
			goto err;
		}
		if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) == NID_X9_62_prime_field)
		{
			if (!EC_POINT_get_affine_coordinates_GFp(group,
				tmp_point, X, NULL, ctx))
			{
				ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP,ERR_R_EC_LIB);
				goto err;
			}
		}
		else /* NID_X9_62_characteristic_two_field */
		{
			if (!EC_POINT_get_affine_coordinates_GF2m(group,
				tmp_point, X, NULL, ctx))
			{
				ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP,ERR_R_EC_LIB);
				goto err;
			}
		}
		if (!BN_nnmod(r, X, order, ctx))
		{
			ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB);
			goto err;
		}
	}
	while (BN_is_zero(r));

	/* compute the inverse of k */
	if (!BN_mod_inverse(k, k, order, ctx))
	{
		ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB);
		goto err;	
	}
	/* clear old values if necessary */
	if (*rp != NULL)
		BN_clear_free(*rp);
	if (*kinvp != NULL) 
		BN_clear_free(*kinvp);
	/* save the pre-computed values  */
	*rp    = r;
	*kinvp = k;
	ret = 1;
err:
	if (!ret)
	{
		if (k != NULL) BN_clear_free(k);
		if (r != NULL) BN_clear_free(r);
	}
	if (ctx_in == NULL) 
		BN_CTX_free(ctx);
	if (order != NULL)
		BN_free(order);
	if (tmp_point != NULL) 
		EC_POINT_free(tmp_point);
	if (X)
		BN_clear_free(X);
	return(ret);
}


static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dgst_len, 
		EC_KEY *eckey)
{
	int     ok = 0;
	BIGNUM *kinv=NULL, *r, *s, *m=NULL,*tmp=NULL,*order=NULL;
	BN_CTX     *ctx = NULL;
	EC_GROUP   *group;
	ECDSA_SIG  *ret;
	ECDSA_DATA *ecdsa;

	ecdsa = ecdsa_check(eckey);

	if (!eckey->group || !eckey->pub_key || !eckey->priv_key || !ecdsa)
	{
		ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_PASSED_NULL_PARAMETER);
		return NULL;
	}

	group = eckey->group;
	ret = ECDSA_SIG_new();
	if (!ret)
	{
		ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_MALLOC_FAILURE);
		return NULL;
	}
	s = ret->s;

	if ((ctx = BN_CTX_new()) == NULL || (order = BN_new()) == NULL ||
		(tmp = BN_new()) == NULL || (m = BN_new()) == NULL)
	{
		ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_MALLOC_FAILURE);
		goto err;
	}

	if (!EC_GROUP_get_order(group, order, ctx))
	{
		ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_EC_LIB);
		goto err;
	}
	if (dgst_len > BN_num_bytes(order))
	{
		ECDSAerr(ECDSA_F_ECDSA_DO_SIGN,
			ECDSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
		goto err;
	}

	if (!BN_bin2bn(dgst, dgst_len, m))
	{
		ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
		goto err;
	}
	do
	{
		if (ecdsa->kinv == NULL || ecdsa->r == NULL)
		{
			if (!ECDSA_sign_setup(eckey, ctx, &kinv, &ret->r))
			{
				ECDSAerr(ECDSA_F_ECDSA_DO_SIGN,ERR_R_ECDSA_LIB);
				goto err;
			}
			r = ret->r;
		}
		else
		{
			BN_free(ret->r);
			kinv   = ecdsa->kinv;
			r      = ecdsa->r;
			ret->r = r;
			ecdsa->kinv = NULL;
			ecdsa->r    = NULL;
		}

		if (!BN_mod_mul(tmp, eckey->priv_key, r, order, ctx))
		{
			ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
			goto err;
		}
		if (!BN_mod_add_quick(s, tmp, m, order))
		{
			ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
			goto err;
		}
		if (!BN_mod_mul(s, s, kinv, order, ctx))
		{
			ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
			goto err;
		}
	}
	while (BN_is_zero(s));

	ok = 1;
err:
	if (!ok)
	{
		ECDSA_SIG_free(ret);
		ret = NULL;
	}
	if (ctx)
		BN_CTX_free(ctx);
	if (m)
		BN_clear_free(m);
	if (tmp)
		BN_clear_free(tmp);
	if (order)
		BN_free(order);
	if (kinv)
		BN_clear_free(kinv);
	return ret;
}

static int ecdsa_do_verify(const unsigned char *dgst, int dgst_len,
		ECDSA_SIG *sig, EC_KEY *eckey)
{
	int ret = -1;
	BN_CTX   *ctx;
	BIGNUM   *order, *u1, *u2, *m, *X;
	EC_POINT *point = NULL;
	EC_GROUP *group;
	/* check input values */
	if (!eckey || !eckey->group || !eckey->pub_key || !sig)
	{
		ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ECDSA_R_MISSING_PARAMETERS);
		return -1;
	}

	group = eckey->group;

	ctx = BN_CTX_new();
	if (!ctx)
	{
		ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_MALLOC_FAILURE);
		return -1;
	}
	BN_CTX_start(ctx);
	order = BN_CTX_get(ctx);	
	u1    = BN_CTX_get(ctx);
	u2    = BN_CTX_get(ctx);
	m     = BN_CTX_get(ctx);
	X     = BN_CTX_get(ctx);
	if (!X)
	{
		ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);
		goto err;
	}
	
	if (!EC_GROUP_get_order(group, order, ctx))
	{
		ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_EC_LIB);
		goto err;
	}

	if (BN_is_zero(sig->r)          || BN_get_sign(sig->r) || 
	    BN_ucmp(sig->r, order) >= 0 || BN_is_zero(sig->s)  ||
	    BN_get_sign(sig->s)         || BN_ucmp(sig->s, order) >= 0)
	{
		ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ECDSA_R_BAD_SIGNATURE);
		ret = 0;	/* signature is invalid */
		goto err;
	}
	/* calculate tmp1 = inv(S) mod order */
	if (!BN_mod_inverse(u2, sig->s, order, ctx))
	{
		ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);
		goto err;
	}
	/* digest -> m */
	if (!BN_bin2bn(dgst, dgst_len, m))
	{
		ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);
		goto err;
	}
	/* u1 = m * tmp mod order */
	if (!BN_mod_mul(u1, m, u2, order, ctx))
	{
		ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);
		goto err;
	}
	/* u2 = r * w mod q */
	if (!BN_mod_mul(u2, sig->r, u2, order, ctx))
	{
		ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);
		goto err;
	}

	if ((point = EC_POINT_new(group)) == NULL)
	{
		ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_MALLOC_FAILURE);
		goto err;
	}
	if (!EC_POINT_mul(group, point, u1, eckey->pub_key, u2, ctx))
	{
		ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_EC_LIB);
		goto err;
	}
	if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) == NID_X9_62_prime_field)
	{
		if (!EC_POINT_get_affine_coordinates_GFp(group,
			point, X, NULL, ctx))
		{
			ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB);
			goto err;
		}
	}
	else /* NID_X9_62_characteristic_two_field */
	{
		if (!EC_POINT_get_affine_coordinates_GF2m(group,
			point, X, NULL, ctx))
		{
			ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB);
			goto err;
		}
	}
	
	if (!BN_nnmod(u1, X, order, ctx))
	{
		ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);
		goto err;
	}
	/*  if the signature is correct u1 is equal to sig->r */
	ret = (BN_ucmp(u1, sig->r) == 0);
err:
	BN_CTX_end(ctx);
	BN_CTX_free(ctx);
	if (point)
		EC_POINT_free(point);
	return ret;
}
Commit	Line	Data
4d94ae00	1	/* crypto/ecdsa/ecs_ossl.c */
c6700d27 GT	2	/*
	3	* Written by Nils Larsch for the OpenSSL project
	4	*/
4d94ae00	5	/* ====================================================================
c6700d27	6	* Copyright (c) 1998-2004 The OpenSSL Project. All rights reserved.
4d94ae00 BM	7	*
	8	* Redistribution and use in source and binary forms, with or without
	9	* modification, are permitted provided that the following conditions
	10	* are met:
	11	*
	12	* 1. Redistributions of source code must retain the above copyright
	13	* notice, this list of conditions and the following disclaimer.
	14	*
	15	* 2. Redistributions in binary form must reproduce the above copyright
	16	* notice, this list of conditions and the following disclaimer in
	17	* the documentation and/or other materials provided with the
	18	* distribution.
	19	*
	20	* 3. All advertising materials mentioning features or use of this
	21	* software must display the following acknowledgment:
	22	* "This product includes software developed by the OpenSSL Project
	23	* for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
	24	*
	25	* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
	26	* endorse or promote products derived from this software without
	27	* prior written permission. For written permission, please contact
	28	* openssl-core@OpenSSL.org.
	29	*
	30	* 5. Products derived from this software may not be called "OpenSSL"
	31	* nor may "OpenSSL" appear in their names without prior written
	32	* permission of the OpenSSL Project.
	33	*
	34	* 6. Redistributions of any form whatsoever must retain the following
	35	* acknowledgment:
	36	* "This product includes software developed by the OpenSSL Project
	37	* for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
	38	*
	39	* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
	40	* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
	41	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
	42	* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
	43	* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
	44	* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
	45	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
	46	* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
	47	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
	48	* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
	49	* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
	50	* OF THE POSSIBILITY OF SUCH DAMAGE.
	51	* ====================================================================
	52	*
	53	* This product includes cryptographic software written by Eric Young
	54	* (eay@cryptsoft.com). This product includes software written by Tim
	55	* Hudson (tjh@cryptsoft.com).
	56	*
	57	*/
0bee0e62 BM	58
	59	#include "ecdsa.h"
	60	#include <openssl/err.h>
14a7cfb3	61	#include <openssl/obj_mac.h>
4d94ae00	62
14a7cfb3 BM	63	static ECDSA_SIG ecdsa_do_sign(const unsigned char dgst, int dlen,
	64	EC_KEY *eckey);
	65	static int ecdsa_sign_setup(EC_KEY eckey, BN_CTX ctx_in, BIGNUM **kinvp,
	66	BIGNUM **rp);
	67	static int ecdsa_do_verify(const unsigned char *dgst, int dgst_len,
	68	ECDSA_SIG sig, EC_KEY eckey);
4d94ae00 BM	69
4d94ae00 BM	70	static ECDSA_METHOD openssl_ecdsa_meth = {
14a7cfb3 BM	71	"OpenSSL ECDSA method",
	72	ecdsa_do_sign,
	73	ecdsa_sign_setup,
	74	ecdsa_do_verify,
	75	#if 0
	76	NULL, /* init */
	77	NULL, /* finish */
	78	#endif
	79	0, /* flags */
	80	NULL /* app_data */
4d94ae00 BM	81	};
	82
	83	const ECDSA_METHOD *ECDSA_OpenSSL(void)
	84	{
	85	return &openssl_ecdsa_meth;
	86	}
	87
14a7cfb3 BM	88	static int ecdsa_sign_setup(EC_KEY eckey, BN_CTX ctx_in, BIGNUM **kinvp,
14a7cfb3 BM	89	BIGNUM **rp)
4d94ae00 BM	90	{
4d94ae00 BM	91	BN_CTX *ctx = NULL;
c6700d27	92	BIGNUM k = NULL, r = NULL, order = NULL, X = NULL;
4d94ae00	93	EC_POINT *tmp_point=NULL;
c6700d27	94	EC_GROUP *group;
14a7cfb3 BM	95	int ret = 0;
14a7cfb3 BM	96	if (!eckey \|\| !eckey->group \|\| !eckey->pub_key \|\| !eckey->priv_key)
4d94ae00	97	{
14a7cfb3	98	ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_PASSED_NULL_PARAMETER);
4d94ae00 BM	99	return 0;
4d94ae00 BM	100	}
c6700d27	101	group = eckey->group;
a74333f9	102
4d94ae00 BM	103	if (ctx_in == NULL)
4d94ae00 BM	104	{
c6700d27	105	if ((ctx = BN_CTX_new()) == NULL)
14a7cfb3	106	{
c6700d27 GT	107	ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP,ERR_R_MALLOC_FAILURE);
c6700d27 GT	108	return 0;
14a7cfb3	109	}
4d94ae00 BM	110	}
4d94ae00 BM	111	else
c6700d27	112	ctx = ctx_in;
4d94ae00	113
c6700d27 GT	114	k = BN_new(); /* this value is later returned in kinvp /
	115	r = BN_new(); /* this value is later returned in rp /
	116	order = BN_new();
	117	X = BN_new();
	118	if (!k \|\| !r \|\| !order \|\| !X)
4d94ae00	119	{
c6700d27 GT	120	ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_MALLOC_FAILURE);
c6700d27 GT	121	goto err;
14a7cfb3	122	}
c6700d27	123	if ((tmp_point = EC_POINT_new(group)) == NULL)
14a7cfb3 BM	124	{
14a7cfb3 BM	125	ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB);
4d94ae00 BM	126	goto err;
4d94ae00 BM	127	}
c6700d27	128	if (!EC_GROUP_get_order(group, order, ctx))
4d94ae00	129	{
14a7cfb3	130	ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB);
4d94ae00 BM	131	goto err;
	132	}
	133
	134	do
	135	{
	136	/* get random k */
4d94ae00	137	do
c6700d27	138	if (!BN_rand_range(k, order))
4d94ae00	139	{
14a7cfb3 BM	140	ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP,
14a7cfb3 BM	141	ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED);
4d94ae00 BM	142	goto err;
4d94ae00 BM	143	}
c6700d27	144	while (BN_is_zero(k));
4d94ae00 BM	145
4d94ae00 BM	146	/* compute r the x-coordinate of generator * k */
c6700d27	147	if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx))
14a7cfb3 BM	148	{
	149	ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB);
	150	goto err;
	151	}
c6700d27	152	if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) == NID_X9_62_prime_field)
14a7cfb3	153	{
c6700d27	154	if (!EC_POINT_get_affine_coordinates_GFp(group,
14a7cfb3 BM	155	tmp_point, X, NULL, ctx))
14a7cfb3 BM	156	{
c6700d27	157	ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP,ERR_R_EC_LIB);
14a7cfb3 BM	158	goto err;
	159	}
	160	}
	161	else /* NID_X9_62_characteristic_two_field */
	162	{
c6700d27	163	if (!EC_POINT_get_affine_coordinates_GF2m(group,
14a7cfb3 BM	164	tmp_point, X, NULL, ctx))
14a7cfb3 BM	165	{
c6700d27	166	ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP,ERR_R_EC_LIB);
14a7cfb3 BM	167	goto err;
	168	}
	169	}
c6700d27	170	if (!BN_nnmod(r, X, order, ctx))
4d94ae00	171	{
14a7cfb3	172	ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB);
4d94ae00 BM	173	goto err;
4d94ae00 BM	174	}
4d94ae00 BM	175	}
	176	while (BN_is_zero(r));
	177
	178	/* compute the inverse of k */
c6700d27	179	if (!BN_mod_inverse(k, k, order, ctx))
14a7cfb3 BM	180	{
	181	ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB);
	182	goto err;
	183	}
c6700d27 GT	184	/* clear old values if necessary */
c6700d27 GT	185	if (*rp != NULL)
4d94ae00	186	BN_clear_free(*rp);
c6700d27	187	if (*kinvp != NULL)
4d94ae00	188	BN_clear_free(*kinvp);
c6700d27 GT	189	/* save the pre-computed values */
	190	*rp = r;
	191	*kinvp = k;
4d94ae00 BM	192	ret = 1;
	193	err:
	194	if (!ret)
	195	{
c6700d27	196	if (k != NULL) BN_clear_free(k);
4d94ae00 BM	197	if (r != NULL) BN_clear_free(r);
	198	}
	199	if (ctx_in == NULL)
	200	BN_CTX_free(ctx);
4d94ae00	201	if (order != NULL)
c6700d27	202	BN_free(order);
4d94ae00 BM	203	if (tmp_point != NULL)
4d94ae00 BM	204	EC_POINT_free(tmp_point);
c6700d27 GT	205	if (X)
c6700d27 GT	206	BN_clear_free(X);
4d94ae00 BM	207	return(ret);
	208	}
	209
	210
14a7cfb3 BM	211	static ECDSA_SIG ecdsa_do_sign(const unsigned char dgst, int dgst_len,
14a7cfb3 BM	212	EC_KEY *eckey)
4d94ae00	213	{
c6700d27 GT	214	int ok = 0;
	215	BIGNUM kinv=NULL, r, s, m=NULL,tmp=NULL,order=NULL;
	216	BN_CTX *ctx = NULL;
	217	EC_GROUP *group;
	218	ECDSA_SIG *ret;
14a7cfb3 BM	219	ECDSA_DATA *ecdsa;
	220
	221	ecdsa = ecdsa_check(eckey);
4d94ae00	222
c6700d27	223	if (!eckey->group \|\| !eckey->pub_key \|\| !eckey->priv_key \|\| !ecdsa)
4d94ae00	224	{
14a7cfb3	225	ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_PASSED_NULL_PARAMETER);
c6700d27	226	return NULL;
4d94ae00	227	}
4d94ae00	228
c6700d27 GT	229	group = eckey->group;
	230	ret = ECDSA_SIG_new();
	231	if (!ret)
	232	{
	233	ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_MALLOC_FAILURE);
	234	return NULL;
	235	}
	236	s = ret->s;
	237
14a7cfb3	238	if ((ctx = BN_CTX_new()) == NULL \|\| (order = BN_new()) == NULL \|\|
c6700d27	239	(tmp = BN_new()) == NULL \|\| (m = BN_new()) == NULL)
14a7cfb3 BM	240	{
	241	ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_MALLOC_FAILURE);
	242	goto err;
	243	}
4d94ae00	244
c6700d27	245	if (!EC_GROUP_get_order(group, order, ctx))
4d94ae00	246	{
14a7cfb3	247	ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_EC_LIB);
4d94ae00 BM	248	goto err;
	249	}
	250	if (dgst_len > BN_num_bytes(order))
	251	{
14a7cfb3 BM	252	ECDSAerr(ECDSA_F_ECDSA_DO_SIGN,
14a7cfb3 BM	253	ECDSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
4d94ae00 BM	254	goto err;
	255	}
	256
c6700d27	257	if (!BN_bin2bn(dgst, dgst_len, m))
14a7cfb3 BM	258	{
	259	ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
	260	goto err;
	261	}
4d94ae00 BM	262	do
4d94ae00 BM	263	{
14a7cfb3	264	if (ecdsa->kinv == NULL \|\| ecdsa->r == NULL)
4d94ae00	265	{
c6700d27	266	if (!ECDSA_sign_setup(eckey, ctx, &kinv, &ret->r))
14a7cfb3	267	{
c6700d27	268	ECDSAerr(ECDSA_F_ECDSA_DO_SIGN,ERR_R_ECDSA_LIB);
14a7cfb3 BM	269	goto err;
14a7cfb3 BM	270	}
c6700d27	271	r = ret->r;
4d94ae00 BM	272	}
	273	else
	274	{
c6700d27 GT	275	BN_free(ret->r);
	276	kinv = ecdsa->kinv;
	277	r = ecdsa->r;
	278	ret->r = r;
4d94ae00	279	ecdsa->kinv = NULL;
c6700d27	280	ecdsa->r = NULL;
4d94ae00 BM	281	}
4d94ae00 BM	282
c6700d27	283	if (!BN_mod_mul(tmp, eckey->priv_key, r, order, ctx))
14a7cfb3 BM	284	{
	285	ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
	286	goto err;
	287	}
c6700d27	288	if (!BN_mod_add_quick(s, tmp, m, order))
14a7cfb3 BM	289	{
	290	ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
	291	goto err;
	292	}
c6700d27	293	if (!BN_mod_mul(s, s, kinv, order, ctx))
14a7cfb3 BM	294	{
	295	ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
	296	goto err;
	297	}
4d94ae00 BM	298	}
	299	while (BN_is_zero(s));
	300
c6700d27 GT	301	ok = 1;
	302	err:
	303	if (!ok)
3613e6fc BM	304	{
	305	ECDSA_SIG_free(ret);
	306	ret = NULL;
3613e6fc	307	}
14a7cfb3 BM	308	if (ctx)
	309	BN_CTX_free(ctx);
	310	if (m)
	311	BN_clear_free(m);
	312	if (tmp)
	313	BN_clear_free(tmp);
	314	if (order)
c6700d27	315	BN_free(order);
14a7cfb3 BM	316	if (kinv)
14a7cfb3 BM	317	BN_clear_free(kinv);
c6700d27	318	return ret;
4d94ae00 BM	319	}
4d94ae00 BM	320
14a7cfb3 BM	321	static int ecdsa_do_verify(const unsigned char *dgst, int dgst_len,
14a7cfb3 BM	322	ECDSA_SIG sig, EC_KEY eckey)
4d94ae00	323	{
14a7cfb3	324	int ret = -1;
c6700d27 GT	325	BN_CTX *ctx;
	326	BIGNUM order, u1, u2, m, *X;
	327	EC_POINT *point = NULL;
	328	EC_GROUP *group;
	329	/* check input values */
14a7cfb3	330	if (!eckey \|\| !eckey->group \|\| !eckey->pub_key \|\| !sig)
4d94ae00	331	{
14a7cfb3	332	ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ECDSA_R_MISSING_PARAMETERS);
4d94ae00 BM	333	return -1;
	334	}
	335
c6700d27 GT	336	group = eckey->group;
	337
	338	ctx = BN_CTX_new();
	339	if (!ctx)
14a7cfb3 BM	340	{
14a7cfb3 BM	341	ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_MALLOC_FAILURE);
c6700d27	342	return -1;
14a7cfb3	343	}
c6700d27 GT	344	BN_CTX_start(ctx);
	345	order = BN_CTX_get(ctx);
	346	u1 = BN_CTX_get(ctx);
	347	u2 = BN_CTX_get(ctx);
	348	m = BN_CTX_get(ctx);
	349	X = BN_CTX_get(ctx);
	350	if (!X)
14a7cfb3 BM	351	{
	352	ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);
	353	goto err;
	354	}
c6700d27 GT	355
c6700d27 GT	356	if (!EC_GROUP_get_order(group, order, ctx))
4d94ae00	357	{
c6700d27	358	ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_EC_LIB);
4d94ae00 BM	359	goto err;
4d94ae00 BM	360	}
c6700d27 GT	361
	362	if (BN_is_zero(sig->r) \|\| BN_get_sign(sig->r) \|\|
	363	BN_ucmp(sig->r, order) >= 0 \|\| BN_is_zero(sig->s) \|\|
	364	BN_get_sign(sig->s) \|\| BN_ucmp(sig->s, order) >= 0)
4d94ae00	365	{
14a7cfb3	366	ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ECDSA_R_BAD_SIGNATURE);
c6700d27	367	ret = 0; /* signature is invalid */
4d94ae00 BM	368	goto err;
4d94ae00 BM	369	}
4d94ae00	370	/* calculate tmp1 = inv(S) mod order */
c6700d27	371	if (!BN_mod_inverse(u2, sig->s, order, ctx))
14a7cfb3 BM	372	{
	373	ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);
	374	goto err;
	375	}
4d94ae00	376	/* digest -> m */
c6700d27	377	if (!BN_bin2bn(dgst, dgst_len, m))
14a7cfb3 BM	378	{
	379	ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);
	380	goto err;
	381	}
4d94ae00	382	/* u1 = m * tmp mod order */
c6700d27	383	if (!BN_mod_mul(u1, m, u2, order, ctx))
14a7cfb3 BM	384	{
	385	ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);
	386	goto err;
	387	}
4d94ae00	388	/* u2 = r * w mod q */
c6700d27	389	if (!BN_mod_mul(u2, sig->r, u2, order, ctx))
14a7cfb3 BM	390	{
	391	ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);
	392	goto err;
	393	}
4d94ae00	394
c6700d27	395	if ((point = EC_POINT_new(group)) == NULL)
4d94ae00	396	{
14a7cfb3	397	ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_MALLOC_FAILURE);
4d94ae00 BM	398	goto err;
4d94ae00 BM	399	}
c6700d27	400	if (!EC_POINT_mul(group, point, u1, eckey->pub_key, u2, ctx))
4d94ae00	401	{
14a7cfb3 BM	402	ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_EC_LIB);
	403	goto err;
	404	}
c6700d27	405	if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) == NID_X9_62_prime_field)
14a7cfb3	406	{
c6700d27	407	if (!EC_POINT_get_affine_coordinates_GFp(group,
14a7cfb3 BM	408	point, X, NULL, ctx))
	409	{
	410	ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB);
	411	goto err;
	412	}
	413	}
	414	else /* NID_X9_62_characteristic_two_field */
	415	{
c6700d27	416	if (!EC_POINT_get_affine_coordinates_GF2m(group,
14a7cfb3 BM	417	point, X, NULL, ctx))
	418	{
	419	ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB);
	420	goto err;
	421	}
	422	}
	423
c6700d27	424	if (!BN_nnmod(u1, X, order, ctx))
14a7cfb3 BM	425	{
14a7cfb3 BM	426	ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);
4d94ae00 BM	427	goto err;
4d94ae00 BM	428	}
c6700d27 GT	429	/* if the signature is correct u1 is equal to sig->r */
	430	ret = (BN_ucmp(u1, sig->r) == 0);
	431	err:
	432	BN_CTX_end(ctx);
	433	BN_CTX_free(ctx);
14a7cfb3 BM	434	if (point)
14a7cfb3 BM	435	EC_POINT_free(point);
c6700d27	436	return ret;
4d94ae00	437	}