static
int rpmltcVerifyECDSA(pgpDig dig)
/*@*/
{
rpmltc ltc = dig->impl;
int rc = 0; /* assume failure. */
unsigned char sig[2048];
unsigned long siglen = sizeof(sig);
int xx;
if (ltc->digest == NULL || ltc->digestlen == 0) goto exit;
if (ltc->r == NULL || ltc->s == NULL) goto exit;
#ifdef DYING
rpmltcDumpECDSA(__FUNCTION__, ltc);
#endif
xx = der_encode_sequence_multi(sig, &siglen,
LTC_ASN1_INTEGER, 1UL, ltc->r,
LTC_ASN1_INTEGER, 1UL, ltc->s,
LTC_ASN1_EOL, 0UL, NULL);
xx = rpmltcErr(ltc, "ecc_verify_hash",
ecc_verify_hash(sig, siglen,
ltc->digest, ltc->digestlen, &rc, <c->ecdsa));
exit:
SPEW(!rc, rc, dig);
return rc;
}
C4Err ECC_Verify(ECC_ContextRef pubCtx, void *sig, size_t sigLen, void *hash, size_t hashLen)
{
C4Err err = kC4Err_NoErr;
int status = CRYPT_OK;
int valid = 0;
validateECCContext(pubCtx);
ValidateParam(pubCtx->isInited);
if(pubCtx->isBLCurve)
{
status = ecc_bl_verify_hash(sig, sigLen, hash, hashLen, &valid, &pubCtx->key);
}
else
{
status = ecc_verify_hash(sig, sigLen, hash, hashLen, &valid, &pubCtx->key);
}
if(status != CRYPT_OK)
{
err = sCrypt2C4Err(status); CKERR;
}
if(!valid) err = kC4Err_BadIntegrity;
done:
return err;
}
/* ECC DSA Hash Verify */
int CRYPT_ECC_DSA_HashVerify(CRYPT_ECC_CTX* ecc, const unsigned char* sig,
unsigned int sigSz, unsigned char* hash,
unsigned int hashSz, int* status)
{
if (ecc == NULL || sig == NULL || hash == NULL || status == NULL)
return BAD_FUNC_ARG;
return ecc_verify_hash(sig, sigSz, hash, hashSz, status,
(ecc_key*)ecc->holder);
}
void bench_eccKeyAgree(void)
{
ecc_key genKey, genKey2;
double start, total, each, milliEach;
int i, ret;
byte shared[1024];
byte sig[1024];
byte digest[32];
word32 x = 0;
ecc_init(&genKey);
ecc_init(&genKey2);
ret = InitRng(&rng);
if (ret < 0) {
printf("InitRNG failed\n");
return;
}
ret = ecc_make_key(&rng, 32, &genKey);
if (ret != 0) {
printf("ecc_make_key failed\n");
return;
}
ret = ecc_make_key(&rng, 32, &genKey2);
if (ret != 0) {
printf("ecc_make_key failed\n");
return;
}
/* 256 bit */
start = current_time(1);
for(i = 0; i < agreeTimes; i++) {
x = sizeof(shared);
ret = ecc_shared_secret(&genKey, &genKey2, shared, &x);
if (ret != 0) {
printf("ecc_shared_secret failed\n");
return;
}
}
total = current_time(0) - start;
each = total / agreeTimes; /* per second */
milliEach = each * 1000; /* millisconds */
printf("EC-DHE key agreement %6.3f milliseconds, avg over %d"
" iterations\n", milliEach, agreeTimes);
/* make dummy digest */
for (i = 0; i < (int)sizeof(digest); i++)
digest[i] = (byte)i;
start = current_time(1);
for(i = 0; i < agreeTimes; i++) {
x = sizeof(sig);
ret = ecc_sign_hash(digest, sizeof(digest), sig, &x, &rng, &genKey);
if (ret != 0) {
printf("ecc_sign_hash failed\n");
return;
}
}
total = current_time(0) - start;
each = total / agreeTimes; /* per second */
milliEach = each * 1000; /* millisconds */
printf("EC-DSA sign time %6.3f milliseconds, avg over %d"
" iterations\n", milliEach, agreeTimes);
start = current_time(1);
for(i = 0; i < agreeTimes; i++) {
int verify = 0;
ret = ecc_verify_hash(sig, x, digest, sizeof(digest), &verify, &genKey);
if (ret != 0) {
printf("ecc_verify_hash failed\n");
return;
}
}
total = current_time(0) - start;
each = total / agreeTimes; /* per second */
milliEach = each * 1000; /* millisconds */
printf("EC-DSA verify time %6.3f milliseconds, avg over %d"
" iterations\n", milliEach, agreeTimes);
ecc_free(&genKey2);
ecc_free(&genKey);
}
int ecc_tests (void)
{
unsigned char buf[4][4096];
unsigned long x, y, z, s;
int stat, stat2;
ecc_key usera, userb, pubKey, privKey;
DO(ecc_test ());
DO(ecc_test ());
DO(ecc_test ());
DO(ecc_test ());
DO(ecc_test ());
for (s = 0; s < (sizeof(sizes)/sizeof(sizes[0])); s++) {
/* make up two keys */
DO(ecc_make_key (&yarrow_prng, find_prng ("yarrow"), sizes[s], &usera));
DO(ecc_make_key (&yarrow_prng, find_prng ("yarrow"), sizes[s], &userb));
/* make the shared secret */
x = sizeof(buf[0]);
DO(ecc_shared_secret (&usera, &userb, buf[0], &x));
y = sizeof(buf[1]);
DO(ecc_shared_secret (&userb, &usera, buf[1], &y));
if (y != x) {
fprintf(stderr, "ecc Shared keys are not same size.");
return 1;
}
if (memcmp (buf[0], buf[1], x)) {
fprintf(stderr, "ecc Shared keys not same contents.");
return 1;
}
/* now export userb */
y = sizeof(buf[0]);
DO(ecc_export (buf[1], &y, PK_PUBLIC, &userb));
ecc_free (&userb);
/* import and make the shared secret again */
DO(ecc_import (buf[1], y, &userb));
z = sizeof(buf[0]);
DO(ecc_shared_secret (&usera, &userb, buf[2], &z));
if (z != x) {
fprintf(stderr, "failed. Size don't match?");
return 1;
}
if (memcmp (buf[0], buf[2], x)) {
fprintf(stderr, "Failed. Contents didn't match.");
return 1;
}
/* export with ANSI X9.63 */
y = sizeof(buf[1]);
DO(ecc_ansi_x963_export(&userb, buf[1], &y));
ecc_free (&userb);
/* now import the ANSI key */
DO(ecc_ansi_x963_import(buf[1], y, &userb));
/* shared secret */
z = sizeof(buf[0]);
DO(ecc_shared_secret (&usera, &userb, buf[2], &z));
if (z != x) {
fprintf(stderr, "failed. Size don't match?");
return 1;
}
if (memcmp (buf[0], buf[2], x)) {
fprintf(stderr, "Failed. Contents didn't match.");
return 1;
}
ecc_free (&usera);
ecc_free (&userb);
/* test encrypt_key */
DO(ecc_make_key (&yarrow_prng, find_prng ("yarrow"), sizes[s], &usera));
/* export key */
x = sizeof(buf[0]);
DO(ecc_export(buf[0], &x, PK_PUBLIC, &usera));
DO(ecc_import(buf[0], x, &pubKey));
x = sizeof(buf[0]);
DO(ecc_export(buf[0], &x, PK_PRIVATE, &usera));
DO(ecc_import(buf[0], x, &privKey));
for (x = 0; x < 32; x++) {
buf[0][x] = x;
}
y = sizeof (buf[1]);
DO(ecc_encrypt_key (buf[0], 32, buf[1], &y, &yarrow_prng, find_prng ("yarrow"), find_hash ("sha256"), &pubKey));
zeromem (buf[0], sizeof (buf[0]));
x = sizeof (buf[0]);
DO(ecc_decrypt_key (buf[1], y, buf[0], &x, &privKey));
if (x != 32) {
fprintf(stderr, "Failed (length)");
return 1;
}
for (x = 0; x < 32; x++) {
if (buf[0][x] != x) {
fprintf(stderr, "Failed (contents)");
return 1;
}
}
/* test sign_hash */
for (x = 0; x < 16; x++) {
buf[0][x] = x;
}
x = sizeof (buf[1]);
DO(ecc_sign_hash (buf[0], 16, buf[1], &x, &yarrow_prng, find_prng ("yarrow"), &privKey));
DO(ecc_verify_hash (buf[1], x, buf[0], 16, &stat, &pubKey));
buf[0][0] ^= 1;
DO(ecc_verify_hash (buf[1], x, buf[0], 16, &stat2, &privKey));
if (!(stat == 1 && stat2 == 0)) {
fprintf(stderr, "ecc_verify_hash failed %d, %d, ", stat, stat2);
return 1;
}
ecc_free (&usera);
ecc_free (&pubKey);
ecc_free (&privKey);
}
#ifdef LTC_ECC_SHAMIR
return ecc_test_shamir();
#else
return 0;
#endif
}
static int
_wrap_nettle_pk_verify (gnutls_pk_algorithm_t algo,
const gnutls_datum_t * vdata,
const gnutls_datum_t * signature,
const gnutls_pk_params_st * pk_params)
{
int ret;
unsigned int hash_len;
bigint_t tmp[2] = { NULL, NULL };
switch (algo)
{
case GNUTLS_PK_EC: /* ECDSA */
{
ecc_key pub;
struct dsa_signature sig;
int stat;
int curve_id = pk_params->flags;
if (is_supported_curve(curve_id) == 0)
return gnutls_assert_val(GNUTLS_E_ECC_UNSUPPORTED_CURVE);
ret = _gnutls_decode_ber_rs (signature, &tmp[0], &tmp[1]);
if (ret < 0)
{
gnutls_assert ();
goto cleanup;
}
_ecc_params_to_pubkey(pk_params, &pub);
memcpy (&sig.r, tmp[0], sizeof (sig.r));
memcpy (&sig.s, tmp[1], sizeof (sig.s));
_gnutls_dsa_q_to_hash (algo, pk_params, &hash_len);
if (hash_len > vdata->size)
hash_len = vdata->size;
ret = ecc_verify_hash(&sig, vdata->data, hash_len, &stat, &pub, curve_id);
if (ret != 0 || stat != 1)
{
gnutls_assert();
ret = GNUTLS_E_PK_SIG_VERIFY_FAILED;
}
else
ret = 0;
_gnutls_mpi_release (&tmp[0]);
_gnutls_mpi_release (&tmp[1]);
_ecc_params_clear( &pub);
break;
}
case GNUTLS_PK_DSA:
{
struct dsa_public_key pub;
struct dsa_signature sig;
ret = _gnutls_decode_ber_rs (signature, &tmp[0], &tmp[1]);
if (ret < 0)
{
gnutls_assert ();
goto cleanup;
}
memset(&pub, 0, sizeof(pub));
_dsa_params_to_pubkey (pk_params, &pub);
memcpy (&sig.r, tmp[0], sizeof (sig.r));
memcpy (&sig.s, tmp[1], sizeof (sig.s));
_gnutls_dsa_q_to_hash (algo, pk_params, &hash_len);
if (hash_len > vdata->size)
hash_len = vdata->size;
ret = _dsa_verify (&pub, hash_len, vdata->data, &sig);
if (ret == 0)
{
gnutls_assert();
ret = GNUTLS_E_PK_SIG_VERIFY_FAILED;
}
else
ret = 0;
_gnutls_mpi_release (&tmp[0]);
_gnutls_mpi_release (&tmp[1]);
break;
}
case GNUTLS_PK_RSA:
{
struct rsa_public_key pub;
_rsa_params_to_pubkey (pk_params, &pub);
ret = _gnutls_mpi_scan_nz (&tmp[0], signature->data, signature->size);
if (ret < 0)
{
gnutls_assert ();
goto cleanup;
}
ret = rsa_pkcs1_verify (&pub, vdata->size, vdata->data, TOMPZ(tmp[0]));
if (ret == 0)
ret = gnutls_assert_val(GNUTLS_E_PK_SIG_VERIFY_FAILED);
else ret = 0;
_gnutls_mpi_release (&tmp[0]);
break;
}
default:
gnutls_assert ();
ret = GNUTLS_E_INTERNAL_ERROR;
goto cleanup;
}
cleanup:
return ret;
}
static int
_wrap_nettle_pk_verify (gnutls_pk_algorithm_t algo,
const gnutls_datum_t * vdata,
const gnutls_datum_t * signature,
const gnutls_pk_params_st * pk_params)
{
int ret;
unsigned int hash_len;
bigint_t tmp[2] = { NULL, NULL };
switch (algo)
{
case GNUTLS_PK_EC: /* ECDSA */
{
ecc_key pub;
struct dsa_signature sig;
int stat;
ret = _gnutls_decode_ber_rs (signature, &tmp[0], &tmp[1]);
if (ret < 0)
{
gnutls_assert ();
goto cleanup;
}
_ecc_params_to_pubkey(pk_params, &pub);
memcpy (&sig.r, tmp[0], sizeof (sig.r));
memcpy (&sig.s, tmp[1], sizeof (sig.s));
_gnutls_dsa_q_to_hash (algo, pk_params, &hash_len);
if (hash_len > vdata->size)
hash_len = vdata->size;
ret = ecc_verify_hash(&sig, vdata->data, hash_len, &stat, &pub);
if (ret != 0 || stat != 1)
{
gnutls_assert();
ret = GNUTLS_E_PK_SIG_VERIFY_FAILED;
}
else
ret = 0;
_gnutls_mpi_release (&tmp[0]);
_gnutls_mpi_release (&tmp[1]);
_ecc_params_clear( &pub);
break;
}
case GNUTLS_PK_DSA:
{
struct dsa_public_key pub;
struct dsa_signature sig;
ret = _gnutls_decode_ber_rs (signature, &tmp[0], &tmp[1]);
if (ret < 0)
{
gnutls_assert ();
goto cleanup;
}
memset(&pub, 0, sizeof(pub));
_dsa_params_to_pubkey (pk_params, &pub);
memcpy (&sig.r, tmp[0], sizeof (sig.r));
memcpy (&sig.s, tmp[1], sizeof (sig.s));
_gnutls_dsa_q_to_hash (algo, pk_params, &hash_len);
if (hash_len > vdata->size)
hash_len = vdata->size;
ret = _dsa_verify (&pub, hash_len, vdata->data, &sig);
if (ret == 0)
{
gnutls_assert();
ret = GNUTLS_E_PK_SIG_VERIFY_FAILED;
}
else
ret = 0;
_gnutls_mpi_release (&tmp[0]);
_gnutls_mpi_release (&tmp[1]);
break;
}
case GNUTLS_PK_RSA:
{
bigint_t hash;
if (_gnutls_mpi_scan_nz (&hash, vdata->data, vdata->size) != 0)
{
gnutls_assert ();
return GNUTLS_E_MPI_SCAN_FAILED;
}
ret = _gnutls_mpi_scan_nz (&tmp[0], signature->data, signature->size);
if (ret < 0)
{
gnutls_assert ();
goto cleanup;
}
ret = _int_rsa_verify (pk_params, hash, tmp[0]);
_gnutls_mpi_release (&tmp[0]);
_gnutls_mpi_release (&hash);
break;
}
default:
gnutls_assert ();
ret = GNUTLS_E_INTERNAL_ERROR;
goto cleanup;
}
cleanup:
return ret;
}