/* Checks if point P(px, py) is at infinity. Uses affine coordinates. */ mp_err ec_GFp_pt_is_inf_aff(const mp_int *px, const mp_int *py) { if ((mp_cmp_z(px) == 0) && (mp_cmp_z(py) == 0)) { return MP_YES; } else { return MP_NO; } }
/* Negates a field element. Assumes that 0 <= a < meth->irr */ mp_err ec_GFp_neg(const mp_int *a, mp_int *r, const GFMethod *meth) { /* PRE: 0 <= a < p = meth->irr POST: 0 <= r < p, r = -a (mod p) */ if (mp_cmp_z(a) == 0) { mp_zero(r); return MP_OKAY; } return mp_sub(&meth->irr, a, r); }
/* Subtracts two field elements. Assumes that 0 <= a, b < meth->irr */ mp_err ec_GFp_sub(const mp_int *a, const mp_int *b, mp_int *r, const GFMethod *meth) { mp_err res = MP_OKAY; /* PRE: 0 <= a, b < p = meth->irr POST: 0 <= r < p, r = a - b (mod p) */ res = mp_sub(a, b, r); if (res == MP_RANGE) { MP_CHECKOK(mp_sub(b, a, r)); if (mp_cmp_z(r) < 0) { MP_CHECKOK(mp_add(r, &meth->irr, r)); } MP_CHECKOK(ec_GFp_neg(r, r, meth)); } if (mp_cmp_z(r) < 0) { MP_CHECKOK(mp_add(r, &meth->irr, r)); } CLEANUP: return res; }
mp_err mp_rsasp(mp_int *msg, mp_int *d, mp_int *modulus, mp_int *sig) { ARGCHK(msg != NULL && d != NULL && modulus != NULL && sig != NULL, MP_BADARG); if((mp_cmp_z(msg) < 0) || (mp_cmp(msg, modulus) >= 0)) { return MP_RANGE; } return mp_exptmod(msg, d, modulus, sig); } /* end mp_rsasp() */
mp_err mp_rsavp(mp_int *sig, mp_int *e, mp_int *modulus, mp_int *msg) { ARGCHK(sig != NULL && e != NULL && modulus != NULL && msg != NULL, MP_BADARG); if((mp_cmp_z(sig) < 0) || (mp_cmp(sig, modulus) >= 0)) { return MP_RANGE; } return mp_exptmod(sig, e, modulus, msg); } /* end mp_rsavp() */
mp_err mp_rsaep(mp_int *msg, mp_int *e, mp_int *modulus, mp_int *cipher) { ARGCHK(msg != NULL && e != NULL && modulus != NULL && cipher != NULL, MP_BADARG); /* Insure that message representative is in range of modulus */ if((mp_cmp_z(msg) < 0) || (mp_cmp(msg, modulus) >= 0)) { return MP_RANGE; } return mp_exptmod(msg, e, modulus, cipher); } /* end mp_rsaep() */
mp_err mp_rsadp(mp_int *cipher, mp_int *d, mp_int *modulus, mp_int *msg) { ARGCHK(cipher != NULL && d != NULL && modulus != NULL && msg != NULL, MP_BADARG); /* Insure that ciphertext representative is in range of modulus */ if((mp_cmp_z(cipher) < 0) || (mp_cmp(cipher, modulus) >= 0)) { return MP_RANGE; } return mp_exptmod(cipher, d, modulus, msg); } /* end mp_rsadp() */
/* Computes the windowed non-adjacent-form (NAF) of a scalar. Out should * be an array of signed char's to output to, bitsize should be the number * of bits of out, in is the original scalar, and w is the window size. * NAF is discussed in the paper: D. Hankerson, J. Hernandez and A. * Menezes, "Software implementation of elliptic curve cryptography over * binary fields", Proc. CHES 2000. */ mp_err ec_compute_wNAF(signed char *out, int bitsize, const mp_int *in, int w) { mp_int k; mp_err res = MP_OKAY; int i, twowm1, mask; twowm1 = ec_twoTo(w - 1); mask = 2 * twowm1 - 1; MP_DIGITS(&k) = 0; MP_CHECKOK(mp_init_copy(&k, in)); i = 0; /* Compute wNAF form */ while (mp_cmp_z(&k) > 0) { if (mp_isodd(&k)) { out[i] = MP_DIGIT(&k, 0) & mask; if (out[i] >= twowm1) out[i] -= 2 * twowm1; /* Subtract off out[i]. Note mp_sub_d only works with * unsigned digits */ if (out[i] >= 0) { mp_sub_d(&k, out[i], &k); } else { mp_add_d(&k, -(out[i]), &k); } } else { out[i] = 0; } mp_div_2(&k, &k); i++; } /* Zero out the remaining elements of the out array. */ for (; i < bitsize + 1; i++) { out[i] = 0; } CLEANUP: mp_clear(&k); return res; }
mp_err mpp_divis(mp_int *a, mp_int *b) { mp_err res; mp_int rem; if((res = mp_init(&rem)) != MP_OKAY) return res; if((res = mp_mod(a, b, &rem)) != MP_OKAY) goto CLEANUP; if(mp_cmp_z(&rem) == 0) res = MP_YES; else res = MP_NO; CLEANUP: mp_clear(&rem); return res; } /* end mpp_divis() */
/* Computes R = P + Q where R is (rx, ry, rz), P is (px, py, pz) and Q is * (qx, qy, 1). Elliptic curve points P, Q, and R can all be identical. * Uses mixed Jacobian-affine coordinates. Assumes input is already * field-encoded using field_enc, and returns output that is still * field-encoded. Uses equation (2) from Brown, Hankerson, Lopez, and * Menezes. Software Implementation of the NIST Elliptic Curves Over Prime * Fields. */ mp_err ec_GFp_pt_add_jac_aff(const mp_int *px, const mp_int *py, const mp_int *pz, const mp_int *qx, const mp_int *qy, mp_int *rx, mp_int *ry, mp_int *rz, const ECGroup *group) { mp_err res = MP_OKAY; mp_int A, B, C, D, C2, C3; MP_DIGITS(&A) = 0; MP_DIGITS(&B) = 0; MP_DIGITS(&C) = 0; MP_DIGITS(&D) = 0; MP_DIGITS(&C2) = 0; MP_DIGITS(&C3) = 0; MP_CHECKOK(mp_init(&A)); MP_CHECKOK(mp_init(&B)); MP_CHECKOK(mp_init(&C)); MP_CHECKOK(mp_init(&D)); MP_CHECKOK(mp_init(&C2)); MP_CHECKOK(mp_init(&C3)); /* If either P or Q is the point at infinity, then return the other * point */ if (ec_GFp_pt_is_inf_jac(px, py, pz) == MP_YES) { MP_CHECKOK(ec_GFp_pt_aff2jac(qx, qy, rx, ry, rz, group)); goto CLEANUP; } if (ec_GFp_pt_is_inf_aff(qx, qy) == MP_YES) { MP_CHECKOK(mp_copy(px, rx)); MP_CHECKOK(mp_copy(py, ry)); MP_CHECKOK(mp_copy(pz, rz)); goto CLEANUP; } /* A = qx * pz^2, B = qy * pz^3 */ MP_CHECKOK(group->meth->field_sqr(pz, &A, group->meth)); MP_CHECKOK(group->meth->field_mul(&A, pz, &B, group->meth)); MP_CHECKOK(group->meth->field_mul(&A, qx, &A, group->meth)); MP_CHECKOK(group->meth->field_mul(&B, qy, &B, group->meth)); /* C = A - px, D = B - py */ MP_CHECKOK(group->meth->field_sub(&A, px, &C, group->meth)); MP_CHECKOK(group->meth->field_sub(&B, py, &D, group->meth)); if (mp_cmp_z(&C) == 0) { /* P == Q or P == -Q */ if (mp_cmp_z(&D) == 0) { /* P == Q */ /* It is cheaper to double (qx, qy, 1) than (px, py, pz). */ MP_DIGIT(&D, 0) = 1; /* Set D to 1. */ MP_CHECKOK(ec_GFp_pt_dbl_jac(qx, qy, &D, rx, ry, rz, group)); } else { /* P == -Q */ MP_CHECKOK(ec_GFp_pt_set_inf_jac(rx, ry, rz)); } goto CLEANUP; } /* C2 = C^2, C3 = C^3 */ MP_CHECKOK(group->meth->field_sqr(&C, &C2, group->meth)); MP_CHECKOK(group->meth->field_mul(&C, &C2, &C3, group->meth)); /* rz = pz * C */ MP_CHECKOK(group->meth->field_mul(pz, &C, rz, group->meth)); /* C = px * C^2 */ MP_CHECKOK(group->meth->field_mul(px, &C2, &C, group->meth)); /* A = D^2 */ MP_CHECKOK(group->meth->field_sqr(&D, &A, group->meth)); /* rx = D^2 - (C^3 + 2 * (px * C^2)) */ MP_CHECKOK(group->meth->field_add(&C, &C, rx, group->meth)); MP_CHECKOK(group->meth->field_add(&C3, rx, rx, group->meth)); MP_CHECKOK(group->meth->field_sub(&A, rx, rx, group->meth)); /* C3 = py * C^3 */ MP_CHECKOK(group->meth->field_mul(py, &C3, &C3, group->meth)); /* ry = D * (px * C^2 - rx) - py * C^3 */ MP_CHECKOK(group->meth->field_sub(&C, rx, ry, group->meth)); MP_CHECKOK(group->meth->field_mul(&D, ry, ry, group->meth)); MP_CHECKOK(group->meth->field_sub(ry, &C3, ry, group->meth)); CLEANUP: mp_clear(&A); mp_clear(&B); mp_clear(&C); mp_clear(&D); mp_clear(&C2); mp_clear(&C3); return res; }
/* * Try to find the two primes based on 2 exponents plus either a prime * or a modulus. * * In: e, d and either p or n (depending on the setting of hasModulus). * Out: p,q. * * Step 1, Since d = e**-1 mod phi, we know that d*e == 1 mod phi, or * d*e = 1+k*phi, or d*e-1 = k*phi. since d is less than phi and e is * usually less than d, then k must be an integer between e-1 and 1 * (probably on the order of e). * Step 1a, If we were passed just a prime, we can divide k*phi by that * prime-1 and get k*(q-1). This will reduce the size of our division * through the rest of the loop. * Step 2, Loop through the values k=e-1 to 1 looking for k. k should be on * the order or e, and e is typically small. This may take a while for * a large random e. We are looking for a k that divides kphi * evenly. Once we find a k that divides kphi evenly, we assume it * is the true k. It's possible this k is not the 'true' k but has * swapped factors of p-1 and/or q-1. Because of this, we * tentatively continue Steps 3-6 inside this loop, and may return looking * for another k on failure. * Step 3, Calculate are tentative phi=kphi/k. Note: real phi is (p-1)*(q-1). * Step 4a, if we have a prime, kphi is already k*(q-1), so phi is or tenative * q-1. q = phi+1. If k is correct, q should be the right length and * prime. * Step 4b, It's possible q-1 and k could have swapped factors. We now have a * possible solution that meets our criteria. It may not be the only * solution, however, so we keep looking. If we find more than one, * we will fail since we cannot determine which is the correct * solution, and returning the wrong modulus will compromise both * moduli. If no other solution is found, we return the unique solution. * Step 5a, If we have the modulus (n=pq), then use the following formula to * calculate s=(p+q): , phi = (p-1)(q-1) = pq -p-q +1 = n-s+1. so * s=n-phi+1. * Step 5b, Use n=pq and s=p+q to solve for p and q as follows: * since q=s-p, then n=p*(s-p)= sp - p^2, rearranging p^2-s*p+n = 0. * from the quadratic equation we have p=1/2*(s+sqrt(s*s-4*n)) and * q=1/2*(s-sqrt(s*s-4*n)) if s*s-4*n is a perfect square, we are DONE. * If it is not, continue in our look looking for another k. NOTE: the * code actually distributes the 1/2 and results in the equations: * sqrt = sqrt(s/2*s/2-n), p=s/2+sqrt, q=s/2-sqrt. The algebra saves us * and extra divide by 2 and a multiply by 4. * * This will return p & q. q may be larger than p in the case that p was given * and it was the smaller prime. */ static mp_err rsa_get_primes_from_exponents(mp_int *e, mp_int *d, mp_int *p, mp_int *q, mp_int *n, PRBool hasModulus, unsigned int keySizeInBits) { mp_int kphi; /* k*phi */ mp_int k; /* current guess at 'k' */ mp_int phi; /* (p-1)(q-1) */ mp_int s; /* p+q/2 (s/2 in the algebra) */ mp_int r; /* remainder */ mp_int tmp; /* p-1 if p is given, n+1 is modulus is given */ mp_int sqrt; /* sqrt(s/2*s/2-n) */ mp_err err = MP_OKAY; unsigned int order_k; MP_DIGITS(&kphi) = 0; MP_DIGITS(&phi) = 0; MP_DIGITS(&s) = 0; MP_DIGITS(&k) = 0; MP_DIGITS(&r) = 0; MP_DIGITS(&tmp) = 0; MP_DIGITS(&sqrt) = 0; CHECK_MPI_OK( mp_init(&kphi) ); CHECK_MPI_OK( mp_init(&phi) ); CHECK_MPI_OK( mp_init(&s) ); CHECK_MPI_OK( mp_init(&k) ); CHECK_MPI_OK( mp_init(&r) ); CHECK_MPI_OK( mp_init(&tmp) ); CHECK_MPI_OK( mp_init(&sqrt) ); /* our algorithm looks for a factor k whose maximum size is dependent * on the size of our smallest exponent, which had better be the public * exponent (if it's the private, the key is vulnerable to a brute force * attack). * * since our factor search is linear, we need to limit the maximum * size of the public key. this should not be a problem normally, since * public keys are usually small. * * if we want to handle larger public key sizes, we should have * a version which tries to 'completely' factor k*phi (where completely * means 'factor into primes, or composites with which are products of * large primes). Once we have all the factors, we can sort them out and * try different combinations to form our phi. The risk is if (p-1)/2, * (q-1)/2, and k are all large primes. In any case if the public key * is small (order of 20 some bits), then a linear search for k is * manageable. */ if (mpl_significant_bits(e) > 23) { err=MP_RANGE; goto cleanup; } /* calculate k*phi = e*d - 1 */ CHECK_MPI_OK( mp_mul(e, d, &kphi) ); CHECK_MPI_OK( mp_sub_d(&kphi, 1, &kphi) ); /* kphi is (e*d)-1, which is the same as k*(p-1)(q-1) * d < (p-1)(q-1), therefor k must be less than e-1 * We can narrow down k even more, though. Since p and q are odd and both * have their high bit set, then we know that phi must be on order of * keySizeBits. */ order_k = (unsigned)mpl_significant_bits(&kphi) - keySizeInBits; /* for (k=kinit; order(k) >= order_k; k--) { */ /* k=kinit: k can't be bigger than kphi/2^(keySizeInBits -1) */ CHECK_MPI_OK( mp_2expt(&k,keySizeInBits-1) ); CHECK_MPI_OK( mp_div(&kphi, &k, &k, NULL)); if (mp_cmp(&k,e) >= 0) { /* also can't be bigger then e-1 */ CHECK_MPI_OK( mp_sub_d(e, 1, &k) ); } /* calculate our temp value */ /* This saves recalculating this value when the k guess is wrong, which * is reasonably frequent. */ /* for the modulus case, tmp = n+1 (used to calculate p+q = tmp - phi) */ /* for the prime case, tmp = p-1 (used to calculate q-1= phi/tmp) */ if (hasModulus) { CHECK_MPI_OK( mp_add_d(n, 1, &tmp) ); } else { CHECK_MPI_OK( mp_sub_d(p, 1, &tmp) ); CHECK_MPI_OK(mp_div(&kphi,&tmp,&kphi,&r)); if (mp_cmp_z(&r) != 0) { /* p-1 doesn't divide kphi, some parameter wasn't correct */ err=MP_RANGE; goto cleanup; } mp_zero(q); /* kphi is now k*(q-1) */ } /* rest of the for loop */ for (; (err == MP_OKAY) && (mpl_significant_bits(&k) >= order_k); err = mp_sub_d(&k, 1, &k)) { /* looking for k as a factor of kphi */ CHECK_MPI_OK(mp_div(&kphi,&k,&phi,&r)); if (mp_cmp_z(&r) != 0) { /* not a factor, try the next one */ continue; } /* we have a possible phi, see if it works */ if (!hasModulus) { if ((unsigned)mpl_significant_bits(&phi) != keySizeInBits/2) { /* phi is not the right size */ continue; } /* phi should be divisible by 2, since * q is odd and phi=(q-1). */ if (mpp_divis_d(&phi,2) == MP_NO) { /* phi is not divisible by 4 */ continue; } /* we now have a candidate for the second prime */ CHECK_MPI_OK(mp_add_d(&phi, 1, &tmp)); /* check to make sure it is prime */ err = rsa_is_prime(&tmp); if (err != MP_OKAY) { if (err == MP_NO) { /* No, then we still have the wrong phi */ err = MP_OKAY; continue; } goto cleanup; } /* * It is possible that we have the wrong phi if * k_guess*(q_guess-1) = k*(q-1) (k and q-1 have swapped factors). * since our q_quess is prime, however. We have found a valid * rsa key because: * q is the correct order of magnitude. * phi = (p-1)(q-1) where p and q are both primes. * e*d mod phi = 1. * There is no way to know from the info given if this is the * original key. We never want to return the wrong key because if * two moduli with the same factor is known, then euclid's gcd * algorithm can be used to find that factor. Even though the * caller didn't pass the original modulus, it doesn't mean the * modulus wasn't known or isn't available somewhere. So to be safe * if we can't be sure we have the right q, we don't return any. * * So to make sure we continue looking for other valid q's. If none * are found, then we can safely return this one, otherwise we just * fail */ if (mp_cmp_z(q) != 0) { /* this is the second valid q, don't return either, * just fail */ err = MP_RANGE; break; } /* we only have one q so far, save it and if no others are found, * it's safe to return it */ CHECK_MPI_OK(mp_copy(&tmp, q)); continue; } /* test our tentative phi */ /* phi should be the correct order */ if ((unsigned)mpl_significant_bits(&phi) != keySizeInBits) { /* phi is not the right size */ continue; } /* phi should be divisible by 4, since * p and q are odd and phi=(p-1)(q-1). */ if (mpp_divis_d(&phi,4) == MP_NO) { /* phi is not divisible by 4 */ continue; } /* n was given, calculate s/2=(p+q)/2 */ CHECK_MPI_OK( mp_sub(&tmp, &phi, &s) ); CHECK_MPI_OK( mp_div_2(&s, &s) ); /* calculate sqrt(s/2*s/2-n) */ CHECK_MPI_OK(mp_sqr(&s,&sqrt)); CHECK_MPI_OK(mp_sub(&sqrt,n,&r)); /* r as a tmp */ CHECK_MPI_OK(mp_sqrt(&r,&sqrt)); /* make sure it's a perfect square */ /* r is our original value we took the square root of */ /* q is the square of our tentative square root. They should be equal*/ CHECK_MPI_OK(mp_sqr(&sqrt,q)); /* q as a tmp */ if (mp_cmp(&r,q) != 0) { /* sigh according to the doc, mp_sqrt could return sqrt-1 */ CHECK_MPI_OK(mp_add_d(&sqrt,1,&sqrt)); CHECK_MPI_OK(mp_sqr(&sqrt,q)); if (mp_cmp(&r,q) != 0) { /* s*s-n not a perfect square, this phi isn't valid, find * another.*/ continue; } } /* NOTE: In this case we know we have the one and only answer. * "Why?", you ask. Because: * 1) n is a composite of two large primes (or it wasn't a * valid RSA modulus). * 2) If we know any number such that x^2-n is a perfect square * and x is not (n+1)/2, then we can calculate 2 non-trivial * factors of n. * 3) Since we know that n has only 2 non-trivial prime factors, * we know the two factors we have are the only possible factors. */ /* Now we are home free to calculate p and q */ /* p = s/2 + sqrt, q= s/2 - sqrt */ CHECK_MPI_OK(mp_add(&s,&sqrt,p)); CHECK_MPI_OK(mp_sub(&s,&sqrt,q)); break; } if ((unsigned)mpl_significant_bits(&k) < order_k) { if (hasModulus || (mp_cmp_z(q) == 0)) { /* If we get here, something was wrong with the parameters we * were given */ err = MP_RANGE; } } cleanup: mp_clear(&kphi); mp_clear(&phi); mp_clear(&s); mp_clear(&k); mp_clear(&r); mp_clear(&tmp); mp_clear(&sqrt); return err; }
/* * take a private key with only a few elements and fill out the missing pieces. * * All the entries will be overwritten with data allocated out of the arena * If no arena is supplied, one will be created. * * The following fields must be supplied in order for this function * to succeed: * one of either publicExponent or privateExponent * two more of the following 5 parameters. * modulus (n) * prime1 (p) * prime2 (q) * publicExponent (e) * privateExponent (d) * * NOTE: if only the publicExponent, privateExponent, and one prime is given, * then there may be more than one RSA key that matches that combination. * * All parameters will be replaced in the key structure with new parameters * Allocated out of the arena. There is no attempt to free the old structures. * Prime1 will always be greater than prime2 (even if the caller supplies the * smaller prime as prime1 or the larger prime as prime2). The parameters are * not overwritten on failure. * * How it works: * We can generate all the parameters from: * one of the exponents, plus the two primes. (rsa_build_key_from_primes) * * If we are given one of the exponents and both primes, we are done. * If we are given one of the exponents, the modulus and one prime, we * caclulate the second prime by dividing the modulus by the given * prime, giving us and exponent and 2 primes. * If we are given 2 exponents and either the modulus or one of the primes * we calculate k*phi = d*e-1, where k is an integer less than d which * divides d*e-1. We find factor k so we can isolate phi. * phi = (p-1)(q-1) * If one of the primes are given, we can use phi to find the other prime * as follows: q = (phi/(p-1)) + 1. We now have 2 primes and an * exponent. (NOTE: if more then one prime meets this condition, the * operation will fail. See comments elsewhere in this file about this). * If the modulus is given, then we can calculate the sum of the primes * as follows: s := (p+q), phi = (p-1)(q-1) = pq -p - q +1, pq = n -> * phi = n - s + 1, s = n - phi +1. Now that we have s = p+q and n=pq, * we can solve our 2 equations and 2 unknowns as follows: q=s-p -> * n=p*(s-p)= sp -p^2 -> p^2-sp+n = 0. Using the quadratic to solve for * p, p=1/2*(s+ sqrt(s*s-4*n)) [q=1/2*(s-sqrt(s*s-4*n)]. We again have * 2 primes and an exponent. * */ SECStatus RSA_PopulatePrivateKey(RSAPrivateKey *key) { PLArenaPool *arena = NULL; PRBool needPublicExponent = PR_TRUE; PRBool needPrivateExponent = PR_TRUE; PRBool hasModulus = PR_FALSE; unsigned int keySizeInBits = 0; int prime_count = 0; /* standard RSA nominclature */ mp_int p, q, e, d, n; /* remainder */ mp_int r; mp_err err = 0; SECStatus rv = SECFailure; MP_DIGITS(&p) = 0; MP_DIGITS(&q) = 0; MP_DIGITS(&e) = 0; MP_DIGITS(&d) = 0; MP_DIGITS(&n) = 0; MP_DIGITS(&r) = 0; CHECK_MPI_OK( mp_init(&p) ); CHECK_MPI_OK( mp_init(&q) ); CHECK_MPI_OK( mp_init(&e) ); CHECK_MPI_OK( mp_init(&d) ); CHECK_MPI_OK( mp_init(&n) ); CHECK_MPI_OK( mp_init(&r) ); /* if the key didn't already have an arena, create one. */ if (key->arena == NULL) { arena = PORT_NewArena(NSS_FREEBL_DEFAULT_CHUNKSIZE); if (!arena) { goto cleanup; } key->arena = arena; } /* load up the known exponents */ if (key->publicExponent.data) { SECITEM_TO_MPINT(key->publicExponent, &e); needPublicExponent = PR_FALSE; } if (key->privateExponent.data) { SECITEM_TO_MPINT(key->privateExponent, &d); needPrivateExponent = PR_FALSE; } if (needPrivateExponent && needPublicExponent) { /* Not enough information, we need at least one exponent */ err = MP_BADARG; goto cleanup; } /* load up the known primes. If only one prime is given, it will be * assigned 'p'. Once we have both primes, well make sure p is the larger. * The value prime_count tells us howe many we have acquired. */ if (key->prime1.data) { int primeLen = key->prime1.len; if (key->prime1.data[0] == 0) { primeLen--; } keySizeInBits = primeLen * 2 * PR_BITS_PER_BYTE; SECITEM_TO_MPINT(key->prime1, &p); prime_count++; } if (key->prime2.data) { int primeLen = key->prime2.len; if (key->prime2.data[0] == 0) { primeLen--; } keySizeInBits = primeLen * 2 * PR_BITS_PER_BYTE; SECITEM_TO_MPINT(key->prime2, prime_count ? &q : &p); prime_count++; } /* load up the modulus */ if (key->modulus.data) { int modLen = key->modulus.len; if (key->modulus.data[0] == 0) { modLen--; } keySizeInBits = modLen * PR_BITS_PER_BYTE; SECITEM_TO_MPINT(key->modulus, &n); hasModulus = PR_TRUE; } /* if we have the modulus and one prime, calculate the second. */ if ((prime_count == 1) && (hasModulus)) { mp_div(&n,&p,&q,&r); if (mp_cmp_z(&r) != 0) { /* p is not a factor or n, fail */ err = MP_BADARG; goto cleanup; } prime_count++; } /* If we didn't have enough primes try to calculate the primes from * the exponents */ if (prime_count < 2) { /* if we don't have at least 2 primes at this point, then we need both * exponents and one prime or a modulus*/ if (!needPublicExponent && !needPrivateExponent && ((prime_count > 0) || hasModulus)) { CHECK_MPI_OK(rsa_get_primes_from_exponents(&e,&d,&p,&q, &n,hasModulus,keySizeInBits)); } else { /* not enough given parameters to get both primes */ err = MP_BADARG; goto cleanup; } } /* force p to the the larger prime */ if (mp_cmp(&p, &q) < 0) mp_exch(&p, &q); /* we now have our 2 primes and at least one exponent, we can fill * in the key */ rv = rsa_build_from_primes(&p, &q, &e, needPublicExponent, &d, needPrivateExponent, key, keySizeInBits); cleanup: mp_clear(&p); mp_clear(&q); mp_clear(&e); mp_clear(&d); mp_clear(&n); mp_clear(&r); if (err) { MP_TO_SEC_ERROR(err); rv = SECFailure; } if (rv && arena) { PORT_FreeArena(arena, PR_TRUE); key->arena = NULL; } return rv; }
/* Compute the x, y affine coordinates from the point (x1, z1) (x2, z2) * using Montgomery point multiplication algorithm Mxy() in appendix of * Lopex, J. and Dahab, R. "Fast multiplication on elliptic curves over * GF(2^m) without precomputation". Returns: 0 on error 1 if return value * should be the point at infinity 2 otherwise */ static int gf2m_Mxy(const mp_int *x, const mp_int *y, mp_int *x1, mp_int *z1, mp_int *x2, mp_int *z2, const ECGroup *group) { mp_err res = MP_OKAY; int ret = 0; mp_int t3, t4, t5; MP_DIGITS(&t3) = 0; MP_DIGITS(&t4) = 0; MP_DIGITS(&t5) = 0; MP_CHECKOK(mp_init(&t3, FLAG(x2))); MP_CHECKOK(mp_init(&t4, FLAG(x2))); MP_CHECKOK(mp_init(&t5, FLAG(x2))); if (mp_cmp_z(z1) == 0) { mp_zero(x2); mp_zero(z2); ret = 1; goto CLEANUP; } if (mp_cmp_z(z2) == 0) { MP_CHECKOK(mp_copy(x, x2)); MP_CHECKOK(group->meth->field_add(x, y, z2, group->meth)); ret = 2; goto CLEANUP; } MP_CHECKOK(mp_set_int(&t5, 1)); if (group->meth->field_enc) { MP_CHECKOK(group->meth->field_enc(&t5, &t5, group->meth)); } MP_CHECKOK(group->meth->field_mul(z1, z2, &t3, group->meth)); MP_CHECKOK(group->meth->field_mul(z1, x, z1, group->meth)); MP_CHECKOK(group->meth->field_add(z1, x1, z1, group->meth)); MP_CHECKOK(group->meth->field_mul(z2, x, z2, group->meth)); MP_CHECKOK(group->meth->field_mul(z2, x1, x1, group->meth)); MP_CHECKOK(group->meth->field_add(z2, x2, z2, group->meth)); MP_CHECKOK(group->meth->field_mul(z2, z1, z2, group->meth)); MP_CHECKOK(group->meth->field_sqr(x, &t4, group->meth)); MP_CHECKOK(group->meth->field_add(&t4, y, &t4, group->meth)); MP_CHECKOK(group->meth->field_mul(&t4, &t3, &t4, group->meth)); MP_CHECKOK(group->meth->field_add(&t4, z2, &t4, group->meth)); MP_CHECKOK(group->meth->field_mul(&t3, x, &t3, group->meth)); MP_CHECKOK(group->meth->field_div(&t5, &t3, &t3, group->meth)); MP_CHECKOK(group->meth->field_mul(&t3, &t4, &t4, group->meth)); MP_CHECKOK(group->meth->field_mul(x1, &t3, x2, group->meth)); MP_CHECKOK(group->meth->field_add(x2, x, z2, group->meth)); MP_CHECKOK(group->meth->field_mul(z2, &t4, z2, group->meth)); MP_CHECKOK(group->meth->field_add(z2, y, z2, group->meth)); ret = 2; CLEANUP: mp_clear(&t3); mp_clear(&t4); mp_clear(&t5); if (res == MP_OKAY) { return ret; } else { return 0; } }
/* Computes R = nP based on algorithm 2P of Lopex, J. and Dahab, R. "Fast * multiplication on elliptic curves over GF(2^m) without * precomputation". Elliptic curve points P and R can be identical. Uses * Montgomery projective coordinates. */ mp_err ec_GF2m_pt_mul_mont(const mp_int *n, const mp_int *px, const mp_int *py, mp_int *rx, mp_int *ry, const ECGroup *group) { mp_err res = MP_OKAY; mp_int x1, x2, z1, z2; int i, j; mp_digit top_bit, mask; MP_DIGITS(&x1) = 0; MP_DIGITS(&x2) = 0; MP_DIGITS(&z1) = 0; MP_DIGITS(&z2) = 0; MP_CHECKOK(mp_init(&x1, FLAG(n))); MP_CHECKOK(mp_init(&x2, FLAG(n))); MP_CHECKOK(mp_init(&z1, FLAG(n))); MP_CHECKOK(mp_init(&z2, FLAG(n))); /* if result should be point at infinity */ if ((mp_cmp_z(n) == 0) || (ec_GF2m_pt_is_inf_aff(px, py) == MP_YES)) { MP_CHECKOK(ec_GF2m_pt_set_inf_aff(rx, ry)); goto CLEANUP; } MP_CHECKOK(mp_copy(px, &x1)); /* x1 = px */ MP_CHECKOK(mp_set_int(&z1, 1)); /* z1 = 1 */ MP_CHECKOK(group->meth->field_sqr(&x1, &z2, group->meth)); /* z2 = * x1^2 = * px^2 */ MP_CHECKOK(group->meth->field_sqr(&z2, &x2, group->meth)); MP_CHECKOK(group->meth->field_add(&x2, &group->curveb, &x2, group->meth)); /* x2 * = * px^4 * + * b */ /* find top-most bit and go one past it */ i = MP_USED(n) - 1; j = MP_DIGIT_BIT - 1; top_bit = 1; top_bit <<= MP_DIGIT_BIT - 1; mask = top_bit; while (!(MP_DIGITS(n)[i] & mask)) { mask >>= 1; j--; } mask >>= 1; j--; /* if top most bit was at word break, go to next word */ if (!mask) { i--; j = MP_DIGIT_BIT - 1; mask = top_bit; } for (; i >= 0; i--) { for (; j >= 0; j--) { if (MP_DIGITS(n)[i] & mask) { MP_CHECKOK(gf2m_Madd(px, &x1, &z1, &x2, &z2, group, FLAG(n))); MP_CHECKOK(gf2m_Mdouble(&x2, &z2, group, FLAG(n))); } else { MP_CHECKOK(gf2m_Madd(px, &x2, &z2, &x1, &z1, group, FLAG(n))); MP_CHECKOK(gf2m_Mdouble(&x1, &z1, group, FLAG(n))); } mask >>= 1; } j = MP_DIGIT_BIT - 1; mask = top_bit; } /* convert out of "projective" coordinates */ i = gf2m_Mxy(px, py, &x1, &z1, &x2, &z2, group); if (i == 0) { res = MP_BADARG; goto CLEANUP; } else if (i == 1) { MP_CHECKOK(ec_GF2m_pt_set_inf_aff(rx, ry)); } else { MP_CHECKOK(mp_copy(&x2, rx)); MP_CHECKOK(mp_copy(&z2, ry)); } CLEANUP: mp_clear(&x1); mp_clear(&x2); mp_clear(&z1); mp_clear(&z2); return res; }
/* Computes R = nP where R is (rx, ry) and P is the base point. Elliptic * curve points P and R can be identical. Uses mixed Modified-Jacobian * co-ordinates for doubling and Chudnovsky Jacobian coordinates for * additions. Uses 5-bit window NAF method (algorithm 11) for scalar-point * multiplication from Brown, Hankerson, Lopez, Menezes. Software * Implementation of the NIST Elliptic Curves Over Prime Fields. */ mp_err ec_GFp_point_mul_wNAF_fp(const mp_int *n, const mp_int *px, const mp_int *py, mp_int *rx, mp_int *ry, const ECGroup *ecgroup) { mp_err res = MP_OKAY; mp_int sx, sy, sz; EC_group_fp *group = (EC_group_fp *) ecgroup->extra1; ecfp_chud_pt precomp[16]; ecfp_aff_pt p; ecfp_jm_pt r; signed char naf[group->orderBitSize + 1]; int i; MP_DIGITS(&sx) = 0; MP_DIGITS(&sy) = 0; MP_DIGITS(&sz) = 0; MP_CHECKOK(mp_init(&sx)); MP_CHECKOK(mp_init(&sy)); MP_CHECKOK(mp_init(&sz)); /* if n = 0 then r = inf */ if (mp_cmp_z(n) == 0) { mp_zero(rx); mp_zero(ry); res = MP_OKAY; goto CLEANUP; /* if n < 0 then out of range error */ } else if (mp_cmp_z(n) < 0) { res = MP_RANGE; goto CLEANUP; } /* Convert from integer to floating point */ ecfp_i2fp(p.x, px, ecgroup); ecfp_i2fp(p.y, py, ecgroup); ecfp_i2fp(group->curvea, &(ecgroup->curvea), ecgroup); /* Perform precomputation */ group->precompute_chud(precomp, &p, group); /* Compute 5NAF */ ec_compute_wNAF(naf, group->orderBitSize, n, 5); /* Init R = pt at infinity */ for (i = 0; i < group->numDoubles; i++) { r.z[i] = 0; } /* wNAF method */ for (i = group->orderBitSize; i >= 0; i--) { /* R = 2R */ group->pt_dbl_jm(&r, &r, group); if (naf[i] != 0) { group->pt_add_jm_chud(&r, &precomp[(naf[i] + 15) / 2], &r, group); } } /* Convert from floating point to integer */ ecfp_fp2i(&sx, r.x, ecgroup); ecfp_fp2i(&sy, r.y, ecgroup); ecfp_fp2i(&sz, r.z, ecgroup); /* convert result R to affine coordinates */ MP_CHECKOK(ec_GFp_pt_jac2aff(&sx, &sy, &sz, rx, ry, ecgroup)); CLEANUP: mp_clear(&sx); mp_clear(&sy); mp_clear(&sz); return res; }
/* signature is caller-supplied buffer of at least 20 bytes. ** On input, signature->len == size of buffer to hold signature. ** digest->len == size of digest. */ SECStatus DSA_VerifyDigest(DSAPublicKey *key, const SECItem *signature, const SECItem *digest) { /* FIPS-compliance dictates that digest is a SHA1 hash. */ mp_int p, q, g; /* PQG parameters */ mp_int r_, s_; /* tuple (r', s') is received signature) */ mp_int u1, u2, v, w; /* intermediate values used in verification */ mp_int y; /* public key */ mp_err err; SECStatus verified = SECFailure; /* Check args. */ if (!key || !signature || !digest || (signature->len != DSA_SIGNATURE_LEN) || (digest->len != SHA1_LENGTH)) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } /* Initialize MPI integers. */ MP_DIGITS(&p) = 0; MP_DIGITS(&q) = 0; MP_DIGITS(&g) = 0; MP_DIGITS(&y) = 0; MP_DIGITS(&r_) = 0; MP_DIGITS(&s_) = 0; MP_DIGITS(&u1) = 0; MP_DIGITS(&u2) = 0; MP_DIGITS(&v) = 0; MP_DIGITS(&w) = 0; CHECK_MPI_OK( mp_init(&p) ); CHECK_MPI_OK( mp_init(&q) ); CHECK_MPI_OK( mp_init(&g) ); CHECK_MPI_OK( mp_init(&y) ); CHECK_MPI_OK( mp_init(&r_) ); CHECK_MPI_OK( mp_init(&s_) ); CHECK_MPI_OK( mp_init(&u1) ); CHECK_MPI_OK( mp_init(&u2) ); CHECK_MPI_OK( mp_init(&v) ); CHECK_MPI_OK( mp_init(&w) ); /* ** Convert stored PQG and public key into MPI integers. */ SECITEM_TO_MPINT(key->params.prime, &p); SECITEM_TO_MPINT(key->params.subPrime, &q); SECITEM_TO_MPINT(key->params.base, &g); SECITEM_TO_MPINT(key->publicValue, &y); /* ** Convert received signature (r', s') into MPI integers. */ OCTETS_TO_MPINT(signature->data, &r_, DSA_SUBPRIME_LEN); OCTETS_TO_MPINT(signature->data + DSA_SUBPRIME_LEN, &s_, DSA_SUBPRIME_LEN); /* ** Verify that 0 < r' < q and 0 < s' < q */ if (mp_cmp_z(&r_) <= 0 || mp_cmp_z(&s_) <= 0 || mp_cmp(&r_, &q) >= 0 || mp_cmp(&s_, &q) >= 0) { /* err is zero here. */ PORT_SetError(SEC_ERROR_BAD_SIGNATURE); goto cleanup; /* will return verified == SECFailure */ } /* ** FIPS 186-1, Section 6, Step 1 ** ** w = (s')**-1 mod q */ CHECK_MPI_OK( mp_invmod(&s_, &q, &w) ); /* w = (s')**-1 mod q */ /* ** FIPS 186-1, Section 6, Step 2 ** ** u1 = ((SHA1(M')) * w) mod q */ SECITEM_TO_MPINT(*digest, &u1); /* u1 = SHA1(M') */ CHECK_MPI_OK( mp_mulmod(&u1, &w, &q, &u1) ); /* u1 = u1 * w mod q */ /* ** FIPS 186-1, Section 6, Step 3 ** ** u2 = ((r') * w) mod q */ CHECK_MPI_OK( mp_mulmod(&r_, &w, &q, &u2) ); /* ** FIPS 186-1, Section 6, Step 4 ** ** v = ((g**u1 * y**u2) mod p) mod q */ CHECK_MPI_OK( mp_exptmod(&g, &u1, &p, &g) ); /* g = g**u1 mod p */ CHECK_MPI_OK( mp_exptmod(&y, &u2, &p, &y) ); /* y = y**u2 mod p */ CHECK_MPI_OK( mp_mulmod(&g, &y, &p, &v) ); /* v = g * y mod p */ CHECK_MPI_OK( mp_mod(&v, &q, &v) ); /* v = v mod q */ /* ** Verification: v == r' */ if (mp_cmp(&v, &r_)) { PORT_SetError(SEC_ERROR_BAD_SIGNATURE); verified = SECFailure; /* Signature failed to verify. */ } else { verified = SECSuccess; /* Signature verified. */ } cleanup: mp_clear(&p); mp_clear(&q); mp_clear(&g); mp_clear(&y); mp_clear(&r_); mp_clear(&s_); mp_clear(&u1); mp_clear(&u2); mp_clear(&v); mp_clear(&w); if (err) { translate_mpi_error(err); } return verified; }
/* Computes the ECDSA signature (a concatenation of two values r and s) * on the digest using the given key and the random value kb (used in * computing s). */ SECStatus ECDSA_SignDigestWithSeed(ECPrivateKey *key, SECItem *signature, const SECItem *digest, const unsigned char *kb, const int kblen) { SECStatus rv = SECFailure; #ifndef NSS_DISABLE_ECC mp_int x1; mp_int d, k; /* private key, random integer */ mp_int r, s; /* tuple (r, s) is the signature */ mp_int n; mp_err err = MP_OKAY; ECParams *ecParams = NULL; SECItem kGpoint = { siBuffer, NULL, 0}; int flen = 0; /* length in bytes of the field size */ unsigned olen; /* length in bytes of the base point order */ unsigned obits; /* length in bits of the base point order */ #if EC_DEBUG char mpstr[256]; #endif /* Initialize MPI integers. */ /* must happen before the first potential call to cleanup */ MP_DIGITS(&x1) = 0; MP_DIGITS(&d) = 0; MP_DIGITS(&k) = 0; MP_DIGITS(&r) = 0; MP_DIGITS(&s) = 0; MP_DIGITS(&n) = 0; /* Check args */ if (!key || !signature || !digest || !kb || (kblen < 0)) { PORT_SetError(SEC_ERROR_INVALID_ARGS); goto cleanup; } ecParams = &(key->ecParams); flen = (ecParams->fieldID.size + 7) >> 3; olen = ecParams->order.len; if (signature->data == NULL) { /* a call to get the signature length only */ goto finish; } if (signature->len < 2*olen) { PORT_SetError(SEC_ERROR_OUTPUT_LEN); goto cleanup; } CHECK_MPI_OK( mp_init(&x1) ); CHECK_MPI_OK( mp_init(&d) ); CHECK_MPI_OK( mp_init(&k) ); CHECK_MPI_OK( mp_init(&r) ); CHECK_MPI_OK( mp_init(&s) ); CHECK_MPI_OK( mp_init(&n) ); SECITEM_TO_MPINT( ecParams->order, &n ); SECITEM_TO_MPINT( key->privateValue, &d ); CHECK_MPI_OK( mp_read_unsigned_octets(&k, kb, kblen) ); /* Make sure k is in the interval [1, n-1] */ if ((mp_cmp_z(&k) <= 0) || (mp_cmp(&k, &n) >= 0)) { #if EC_DEBUG printf("k is outside [1, n-1]\n"); mp_tohex(&k, mpstr); printf("k : %s \n", mpstr); mp_tohex(&n, mpstr); printf("n : %s \n", mpstr); #endif PORT_SetError(SEC_ERROR_NEED_RANDOM); goto cleanup; } /* ** We do not want timing information to leak the length of k, ** so we compute k*G using an equivalent scalar of fixed ** bit-length. ** Fix based on patch for ECDSA timing attack in the paper ** by Billy Bob Brumley and Nicola Tuveri at ** http://eprint.iacr.org/2011/232 ** ** How do we convert k to a value of a fixed bit-length? ** k starts off as an integer satisfying 0 <= k < n. Hence, ** n <= k+n < 2n, which means k+n has either the same number ** of bits as n or one more bit than n. If k+n has the same ** number of bits as n, the second addition ensures that the ** final value has exactly one more bit than n. Thus, we ** always end up with a value that exactly one more bit than n. */ CHECK_MPI_OK( mp_add(&k, &n, &k) ); if (mpl_significant_bits(&k) <= mpl_significant_bits(&n)) { CHECK_MPI_OK( mp_add(&k, &n, &k) ); } /* ** ANSI X9.62, Section 5.3.2, Step 2 ** ** Compute kG */ kGpoint.len = 2*flen + 1; kGpoint.data = PORT_Alloc(2*flen + 1); if ((kGpoint.data == NULL) || (ec_points_mul(ecParams, &k, NULL, NULL, &kGpoint) != SECSuccess)) goto cleanup; /* ** ANSI X9.62, Section 5.3.3, Step 1 ** ** Extract the x co-ordinate of kG into x1 */ CHECK_MPI_OK( mp_read_unsigned_octets(&x1, kGpoint.data + 1, (mp_size) flen) ); /* ** ANSI X9.62, Section 5.3.3, Step 2 ** ** r = x1 mod n NOTE: n is the order of the curve */ CHECK_MPI_OK( mp_mod(&x1, &n, &r) ); /* ** ANSI X9.62, Section 5.3.3, Step 3 ** ** verify r != 0 */ if (mp_cmp_z(&r) == 0) { PORT_SetError(SEC_ERROR_NEED_RANDOM); goto cleanup; } /* ** ANSI X9.62, Section 5.3.3, Step 4 ** ** s = (k**-1 * (HASH(M) + d*r)) mod n */ SECITEM_TO_MPINT(*digest, &s); /* s = HASH(M) */ /* In the definition of EC signing, digests are truncated * to the length of n in bits. * (see SEC 1 "Elliptic Curve Digit Signature Algorithm" section 4.1.*/ CHECK_MPI_OK( (obits = mpl_significant_bits(&n)) ); if (digest->len*8 > obits) { mpl_rsh(&s,&s,digest->len*8 - obits); } #if EC_DEBUG mp_todecimal(&n, mpstr); printf("n : %s (dec)\n", mpstr); mp_todecimal(&d, mpstr); printf("d : %s (dec)\n", mpstr); mp_tohex(&x1, mpstr); printf("x1: %s\n", mpstr); mp_todecimal(&s, mpstr); printf("digest: %s (decimal)\n", mpstr); mp_todecimal(&r, mpstr); printf("r : %s (dec)\n", mpstr); mp_tohex(&r, mpstr); printf("r : %s\n", mpstr); #endif CHECK_MPI_OK( mp_invmod(&k, &n, &k) ); /* k = k**-1 mod n */ CHECK_MPI_OK( mp_mulmod(&d, &r, &n, &d) ); /* d = d * r mod n */ CHECK_MPI_OK( mp_addmod(&s, &d, &n, &s) ); /* s = s + d mod n */ CHECK_MPI_OK( mp_mulmod(&s, &k, &n, &s) ); /* s = s * k mod n */ #if EC_DEBUG mp_todecimal(&s, mpstr); printf("s : %s (dec)\n", mpstr); mp_tohex(&s, mpstr); printf("s : %s\n", mpstr); #endif /* ** ANSI X9.62, Section 5.3.3, Step 5 ** ** verify s != 0 */ if (mp_cmp_z(&s) == 0) { PORT_SetError(SEC_ERROR_NEED_RANDOM); goto cleanup; } /* ** ** Signature is tuple (r, s) */ CHECK_MPI_OK( mp_to_fixlen_octets(&r, signature->data, olen) ); CHECK_MPI_OK( mp_to_fixlen_octets(&s, signature->data + olen, olen) ); finish: signature->len = 2*olen; rv = SECSuccess; err = MP_OKAY; cleanup: mp_clear(&x1); mp_clear(&d); mp_clear(&k); mp_clear(&r); mp_clear(&s); mp_clear(&n); if (kGpoint.data) { PORT_ZFree(kGpoint.data, 2*flen + 1); } if (err) { MP_TO_SEC_ERROR(err); rv = SECFailure; } #if EC_DEBUG printf("ECDSA signing with seed %s\n", (rv == SECSuccess) ? "succeeded" : "failed"); #endif #else PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG); #endif /* NSS_DISABLE_ECC */ return rv; }
static SECStatus dsa_SignDigest(DSAPrivateKey *key, SECItem *signature, const SECItem *digest, const unsigned char *kb) { mp_int p, q, g; /* PQG parameters */ mp_int x, k; /* private key & pseudo-random integer */ mp_int r, s; /* tuple (r, s) is signature) */ mp_err err = MP_OKAY; SECStatus rv = SECSuccess; /* FIPS-compliance dictates that digest is a SHA1 hash. */ /* Check args. */ if (!key || !signature || !digest || (signature->len < DSA_SIGNATURE_LEN) || (digest->len != SHA1_LENGTH)) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } /* Initialize MPI integers. */ MP_DIGITS(&p) = 0; MP_DIGITS(&q) = 0; MP_DIGITS(&g) = 0; MP_DIGITS(&x) = 0; MP_DIGITS(&k) = 0; MP_DIGITS(&r) = 0; MP_DIGITS(&s) = 0; CHECK_MPI_OK( mp_init(&p) ); CHECK_MPI_OK( mp_init(&q) ); CHECK_MPI_OK( mp_init(&g) ); CHECK_MPI_OK( mp_init(&x) ); CHECK_MPI_OK( mp_init(&k) ); CHECK_MPI_OK( mp_init(&r) ); CHECK_MPI_OK( mp_init(&s) ); /* ** Convert stored PQG and private key into MPI integers. */ SECITEM_TO_MPINT(key->params.prime, &p); SECITEM_TO_MPINT(key->params.subPrime, &q); SECITEM_TO_MPINT(key->params.base, &g); SECITEM_TO_MPINT(key->privateValue, &x); OCTETS_TO_MPINT(kb, &k, DSA_SUBPRIME_LEN); /* ** FIPS 186-1, Section 5, Step 1 ** ** r = (g**k mod p) mod q */ CHECK_MPI_OK( mp_exptmod(&g, &k, &p, &r) ); /* r = g**k mod p */ CHECK_MPI_OK( mp_mod(&r, &q, &r) ); /* r = r mod q */ /* ** FIPS 186-1, Section 5, Step 2 ** ** s = (k**-1 * (SHA1(M) + x*r)) mod q */ SECITEM_TO_MPINT(*digest, &s); /* s = SHA1(M) */ CHECK_MPI_OK( mp_invmod(&k, &q, &k) ); /* k = k**-1 mod q */ CHECK_MPI_OK( mp_mulmod(&x, &r, &q, &x) ); /* x = x * r mod q */ CHECK_MPI_OK( mp_addmod(&s, &x, &q, &s) ); /* s = s + x mod q */ CHECK_MPI_OK( mp_mulmod(&s, &k, &q, &s) ); /* s = s * k mod q */ /* ** verify r != 0 and s != 0 ** mentioned as optional in FIPS 186-1. */ if (mp_cmp_z(&r) == 0 || mp_cmp_z(&s) == 0) { PORT_SetError(SEC_ERROR_NEED_RANDOM); rv = SECFailure; goto cleanup; } /* ** Step 4 ** ** Signature is tuple (r, s) */ err = mp_to_fixlen_octets(&r, signature->data, DSA_SUBPRIME_LEN); if (err < 0) goto cleanup; err = mp_to_fixlen_octets(&s, signature->data + DSA_SUBPRIME_LEN, DSA_SUBPRIME_LEN); if (err < 0) goto cleanup; err = MP_OKAY; signature->len = DSA_SIGNATURE_LEN; cleanup: mp_clear(&p); mp_clear(&q); mp_clear(&g); mp_clear(&x); mp_clear(&k); mp_clear(&r); mp_clear(&s); if (err) { translate_mpi_error(err); rv = SECFailure; } return rv; }
/* Converts from a floating point representation into an mp_int. Expects * that d is already reduced. */ void ecfp_fp2i(mp_int *mpout, double *d, const ECGroup *ecgroup) { EC_group_fp *group = (EC_group_fp *) ecgroup->extra1; unsigned short i16[(group->primeBitSize + 15) / 16]; double q = 1; #ifdef ECL_THIRTY_TWO_BIT /* TEST uint32_t z = 0; */ unsigned int z = 0; #else uint64_t z = 0; #endif int zBits = 0; int copiedBits = 0; int i = 0; int j = 0; mp_digit *out; /* Result should always be >= 0, so set sign accordingly */ MP_SIGN(mpout) = MP_ZPOS; /* Tidy up so we're just dealing with positive numbers */ ecfp_positiveTidy(d, group); /* We might need to do this reduction step more than once if the * reduction adds smaller terms which carry-over to cause another * reduction. However, this should happen very rarely, if ever, * depending on the elliptic curve. */ do { /* Init loop data */ z = 0; zBits = 0; q = 1; i = 0; j = 0; copiedBits = 0; /* Might have to do a bit more reduction */ group->ecfp_singleReduce(d, group); /* Grow the size of the mpint if it's too small */ s_mp_grow(mpout, group->numInts); MP_USED(mpout) = group->numInts; out = MP_DIGITS(mpout); /* Convert double to 16 bit integers */ while (copiedBits < group->primeBitSize) { if (zBits < 16) { z += d[i] * q; i++; ECFP_ASSERT(i < (group->primeBitSize + 15) / 16); zBits += group->doubleBitSize; } i16[j] = z; j++; z >>= 16; zBits -= 16; q *= ecfp_twom16; copiedBits += 16; } } while (z != 0); /* Convert 16 bit integers to mp_digit */ #ifdef ECL_THIRTY_TWO_BIT for (i = 0; i < (group->primeBitSize + 15) / 16; i += 2) { *out = 0; if (i + 1 < (group->primeBitSize + 15) / 16) { *out = i16[i + 1]; *out <<= 16; } *out++ += i16[i]; } #else /* 64 bit */ for (i = 0; i < (group->primeBitSize + 15) / 16; i += 4) { *out = 0; if (i + 3 < (group->primeBitSize + 15) / 16) { *out = i16[i + 3]; *out <<= 16; } if (i + 2 < (group->primeBitSize + 15) / 16) { *out += i16[i + 2]; *out <<= 16; } if (i + 1 < (group->primeBitSize + 15) / 16) { *out += i16[i + 1]; *out <<= 16; } *out++ += i16[i]; } #endif /* Perform final reduction. mpout should already be the same number * of bits as p, but might not be less than p. Make it so. Since * mpout has the same number of bits as p, and 2p has a larger bit * size, then mpout < 2p, so a single subtraction of p will suffice. */ if (mp_cmp(mpout, &ecgroup->meth->irr) >= 0) { mp_sub(mpout, &ecgroup->meth->irr, mpout); } /* Shrink the size of the mp_int to the actual used size (required for * mp_cmp_z == 0) */ out = MP_DIGITS(mpout); for (i = group->numInts - 1; i > 0; i--) { if (out[i] != 0) break; } MP_USED(mpout) = i + 1; /* Should be between 0 and p-1 */ ECFP_ASSERT(mp_cmp(mpout, &ecgroup->meth->irr) < 0); ECFP_ASSERT(mp_cmp_z(mpout) >= 0); }
/* Computes the ECDSA signature (a concatenation of two values r and s) * on the digest using the given key and the random value kb (used in * computing s). */ SECStatus ECDSA_SignDigestWithSeed(ECPrivateKey *key, SECItem *signature, const SECItem *digest, const unsigned char *kb, const int kblen, int kmflag) { SECStatus rv = SECFailure; mp_int x1; mp_int d, k; /* private key, random integer */ mp_int r, s; /* tuple (r, s) is the signature */ mp_int n; mp_err err = MP_OKAY; ECParams *ecParams = NULL; SECItem kGpoint = { siBuffer, NULL, 0}; int flen = 0; /* length in bytes of the field size */ unsigned olen; /* length in bytes of the base point order */ #if EC_DEBUG char mpstr[256]; #endif /* Initialize MPI integers. */ /* must happen before the first potential call to cleanup */ MP_DIGITS(&x1) = 0; MP_DIGITS(&d) = 0; MP_DIGITS(&k) = 0; MP_DIGITS(&r) = 0; MP_DIGITS(&s) = 0; MP_DIGITS(&n) = 0; /* Check args */ if (!key || !signature || !digest || !kb || (kblen < 0)) { PORT_SetError(SEC_ERROR_INVALID_ARGS); goto cleanup; } ecParams = &(key->ecParams); flen = (ecParams->fieldID.size + 7) >> 3; olen = ecParams->order.len; if (signature->data == NULL) { /* a call to get the signature length only */ goto finish; } if (signature->len < 2*olen) { PORT_SetError(SEC_ERROR_OUTPUT_LEN); rv = SECBufferTooSmall; goto cleanup; } CHECK_MPI_OK( mp_init(&x1, kmflag) ); CHECK_MPI_OK( mp_init(&d, kmflag) ); CHECK_MPI_OK( mp_init(&k, kmflag) ); CHECK_MPI_OK( mp_init(&r, kmflag) ); CHECK_MPI_OK( mp_init(&s, kmflag) ); CHECK_MPI_OK( mp_init(&n, kmflag) ); SECITEM_TO_MPINT( ecParams->order, &n ); SECITEM_TO_MPINT( key->privateValue, &d ); CHECK_MPI_OK( mp_read_unsigned_octets(&k, kb, kblen) ); /* Make sure k is in the interval [1, n-1] */ if ((mp_cmp_z(&k) <= 0) || (mp_cmp(&k, &n) >= 0)) { #if EC_DEBUG printf("k is outside [1, n-1]\n"); mp_tohex(&k, mpstr); printf("k : %s \n", mpstr); mp_tohex(&n, mpstr); printf("n : %s \n", mpstr); #endif PORT_SetError(SEC_ERROR_NEED_RANDOM); goto cleanup; } /* * Using an equivalent exponent of fixed length (same as n or 1 bit less * than n) to keep the kG timing relatively constant. * * Note that this is an extra step on top of the approach defined in * ANSI X9.62 so as to make a fixed length K. */ CHECK_MPI_OK( mp_add(&k, &n, &k) ); CHECK_MPI_OK( mp_div_2(&k, &k) ); /* ** ANSI X9.62, Section 5.3.2, Step 2 ** ** Compute kG */ kGpoint.len = 2*flen + 1; kGpoint.data = PORT_Alloc(2*flen + 1, kmflag); if ((kGpoint.data == NULL) || (ec_points_mul(ecParams, &k, NULL, NULL, &kGpoint, kmflag) != SECSuccess)) goto cleanup; /* ** ANSI X9.62, Section 5.3.3, Step 1 ** ** Extract the x co-ordinate of kG into x1 */ CHECK_MPI_OK( mp_read_unsigned_octets(&x1, kGpoint.data + 1, (mp_size) flen) ); /* ** ANSI X9.62, Section 5.3.3, Step 2 ** ** r = x1 mod n NOTE: n is the order of the curve */ CHECK_MPI_OK( mp_mod(&x1, &n, &r) ); /* ** ANSI X9.62, Section 5.3.3, Step 3 ** ** verify r != 0 */ if (mp_cmp_z(&r) == 0) { PORT_SetError(SEC_ERROR_NEED_RANDOM); goto cleanup; } /* ** ANSI X9.62, Section 5.3.3, Step 4 ** ** s = (k**-1 * (HASH(M) + d*r)) mod n */ SECITEM_TO_MPINT(*digest, &s); /* s = HASH(M) */ /* In the definition of EC signing, digests are truncated * to the length of n in bits. * (see SEC 1 "Elliptic Curve Digit Signature Algorithm" section 4.1.*/ if (digest->len*8 > (unsigned int)ecParams->fieldID.size) { mpl_rsh(&s,&s,digest->len*8 - ecParams->fieldID.size); } #if EC_DEBUG mp_todecimal(&n, mpstr); printf("n : %s (dec)\n", mpstr); mp_todecimal(&d, mpstr); printf("d : %s (dec)\n", mpstr); mp_tohex(&x1, mpstr); printf("x1: %s\n", mpstr); mp_todecimal(&s, mpstr); printf("digest: %s (decimal)\n", mpstr); mp_todecimal(&r, mpstr); printf("r : %s (dec)\n", mpstr); mp_tohex(&r, mpstr); printf("r : %s\n", mpstr); #endif CHECK_MPI_OK( mp_invmod(&k, &n, &k) ); /* k = k**-1 mod n */ CHECK_MPI_OK( mp_mulmod(&d, &r, &n, &d) ); /* d = d * r mod n */ CHECK_MPI_OK( mp_addmod(&s, &d, &n, &s) ); /* s = s + d mod n */ CHECK_MPI_OK( mp_mulmod(&s, &k, &n, &s) ); /* s = s * k mod n */ #if EC_DEBUG mp_todecimal(&s, mpstr); printf("s : %s (dec)\n", mpstr); mp_tohex(&s, mpstr); printf("s : %s\n", mpstr); #endif /* ** ANSI X9.62, Section 5.3.3, Step 5 ** ** verify s != 0 */ if (mp_cmp_z(&s) == 0) { PORT_SetError(SEC_ERROR_NEED_RANDOM); goto cleanup; } /* ** ** Signature is tuple (r, s) */ CHECK_MPI_OK( mp_to_fixlen_octets(&r, signature->data, olen) ); CHECK_MPI_OK( mp_to_fixlen_octets(&s, signature->data + olen, olen) ); finish: signature->len = 2*olen; rv = SECSuccess; err = MP_OKAY; cleanup: mp_clear(&x1); mp_clear(&d); mp_clear(&k); mp_clear(&r); mp_clear(&s); mp_clear(&n); if (kGpoint.data) { PORT_ZFree(kGpoint.data, 2*flen + 1); } if (err) { MP_TO_SEC_ERROR(err); rv = SECFailure; } #if EC_DEBUG printf("ECDSA signing with seed %s\n", (rv == SECSuccess) ? "succeeded" : "failed"); #endif return rv; }
/* Computes R = P + Q based on IEEE P1363 A.10.1. Elliptic curve points P, * Q, and R can all be identical. Uses affine coordinates. Assumes input * is already field-encoded using field_enc, and returns output that is * still field-encoded. */ mp_err ec_GFp_pt_add_aff(const mp_int *px, const mp_int *py, const mp_int *qx, const mp_int *qy, mp_int *rx, mp_int *ry, const ECGroup *group) { mp_err res = MP_OKAY; mp_int lambda, temp, tempx, tempy; MP_DIGITS(&lambda) = 0; MP_DIGITS(&temp) = 0; MP_DIGITS(&tempx) = 0; MP_DIGITS(&tempy) = 0; MP_CHECKOK(mp_init(&lambda)); MP_CHECKOK(mp_init(&temp)); MP_CHECKOK(mp_init(&tempx)); MP_CHECKOK(mp_init(&tempy)); /* if P = inf, then R = Q */ if (ec_GFp_pt_is_inf_aff(px, py) == 0) { MP_CHECKOK(mp_copy(qx, rx)); MP_CHECKOK(mp_copy(qy, ry)); res = MP_OKAY; goto CLEANUP; } /* if Q = inf, then R = P */ if (ec_GFp_pt_is_inf_aff(qx, qy) == 0) { MP_CHECKOK(mp_copy(px, rx)); MP_CHECKOK(mp_copy(py, ry)); res = MP_OKAY; goto CLEANUP; } /* if px != qx, then lambda = (py-qy) / (px-qx) */ if (mp_cmp(px, qx) != 0) { MP_CHECKOK(group->meth->field_sub(py, qy, &tempy, group->meth)); MP_CHECKOK(group->meth->field_sub(px, qx, &tempx, group->meth)); MP_CHECKOK(group->meth->field_div(&tempy, &tempx, &lambda, group->meth)); } else { /* if py != qy or qy = 0, then R = inf */ if (((mp_cmp(py, qy) != 0)) || (mp_cmp_z(qy) == 0)) { mp_zero(rx); mp_zero(ry); res = MP_OKAY; goto CLEANUP; } /* lambda = (3qx^2+a) / (2qy) */ MP_CHECKOK(group->meth->field_sqr(qx, &tempx, group->meth)); MP_CHECKOK(mp_set_int(&temp, 3)); if (group->meth->field_enc) { MP_CHECKOK(group->meth->field_enc(&temp, &temp, group->meth)); } MP_CHECKOK(group->meth->field_mul(&tempx, &temp, &tempx, group->meth)); MP_CHECKOK(group->meth->field_add(&tempx, &group->curvea, &tempx, group->meth)); MP_CHECKOK(mp_set_int(&temp, 2)); if (group->meth->field_enc) { MP_CHECKOK(group->meth->field_enc(&temp, &temp, group->meth)); } MP_CHECKOK(group->meth->field_mul(qy, &temp, &tempy, group->meth)); MP_CHECKOK(group->meth->field_div(&tempx, &tempy, &lambda, group->meth)); } /* rx = lambda^2 - px - qx */ MP_CHECKOK(group->meth->field_sqr(&lambda, &tempx, group->meth)); MP_CHECKOK(group->meth->field_sub(&tempx, px, &tempx, group->meth)); MP_CHECKOK(group->meth->field_sub(&tempx, qx, &tempx, group->meth)); /* ry = (x1-x2) * lambda - y1 */ MP_CHECKOK(group->meth->field_sub(qx, &tempx, &tempy, group->meth)); MP_CHECKOK(group->meth->field_mul(&tempy, &lambda, &tempy, group->meth)); MP_CHECKOK(group->meth->field_sub(&tempy, qy, &tempy, group->meth)); MP_CHECKOK(mp_copy(&tempx, rx)); MP_CHECKOK(mp_copy(&tempy, ry)); CLEANUP: mp_clear(&lambda); mp_clear(&temp); mp_clear(&tempx); mp_clear(&tempy); return res; }
/* Validates a point on a GFp curve. */ mp_err ec_GFp_validate_point(const mp_int *px, const mp_int *py, const ECGroup *group) { mp_err res = MP_NO; mp_int accl, accr, tmp, pxt, pyt; MP_DIGITS(&accl) = 0; MP_DIGITS(&accr) = 0; MP_DIGITS(&tmp) = 0; MP_DIGITS(&pxt) = 0; MP_DIGITS(&pyt) = 0; MP_CHECKOK(mp_init(&accl)); MP_CHECKOK(mp_init(&accr)); MP_CHECKOK(mp_init(&tmp)); MP_CHECKOK(mp_init(&pxt)); MP_CHECKOK(mp_init(&pyt)); /* 1: Verify that publicValue is not the point at infinity */ if (ec_GFp_pt_is_inf_aff(px, py) == MP_YES) { res = MP_NO; goto CLEANUP; } /* 2: Verify that the coordinates of publicValue are elements * of the field. */ if ((MP_SIGN(px) == MP_NEG) || (mp_cmp(px, &group->meth->irr) >= 0) || (MP_SIGN(py) == MP_NEG) || (mp_cmp(py, &group->meth->irr) >= 0)) { res = MP_NO; goto CLEANUP; } /* 3: Verify that publicValue is on the curve. */ if (group->meth->field_enc) { group->meth->field_enc(px, &pxt, group->meth); group->meth->field_enc(py, &pyt, group->meth); } else { MP_CHECKOK(mp_copy(px, &pxt)); MP_CHECKOK(mp_copy(py, &pyt)); } /* left-hand side: y^2 */ MP_CHECKOK(group->meth->field_sqr(&pyt, &accl, group->meth)); /* right-hand side: x^3 + a*x + b = (x^2 + a)*x + b by Horner's rule */ MP_CHECKOK(group->meth->field_sqr(&pxt, &tmp, group->meth)); MP_CHECKOK(group->meth->field_add(&tmp, &group->curvea, &tmp, group->meth)); MP_CHECKOK(group->meth->field_mul(&tmp, &pxt, &accr, group->meth)); MP_CHECKOK(group->meth->field_add(&accr, &group->curveb, &accr, group->meth)); /* check LHS - RHS == 0 */ MP_CHECKOK(group->meth->field_sub(&accl, &accr, &accr, group->meth)); if (mp_cmp_z(&accr) != 0) { res = MP_NO; goto CLEANUP; } /* 4: Verify that the order of the curve times the publicValue * is the point at infinity. */ MP_CHECKOK(ECPoint_mul(group, &group->order, px, py, &pxt, &pyt)); if (ec_GFp_pt_is_inf_aff(&pxt, &pyt) != MP_YES) { res = MP_NO; goto CLEANUP; } res = MP_YES; CLEANUP: mp_clear(&accl); mp_clear(&accr); mp_clear(&tmp); mp_clear(&pxt); mp_clear(&pyt); return res; }
/* Computes R = nP based on IEEE P1363 A.10.3. Elliptic curve points P and * R can be identical. Uses affine coordinates. Assumes input is already * field-encoded using field_enc, and returns output that is still * field-encoded. */ mp_err ec_GFp_pt_mul_aff(const mp_int *n, const mp_int *px, const mp_int *py, mp_int *rx, mp_int *ry, const ECGroup *group) { mp_err res = MP_OKAY; mp_int k, k3, qx, qy, sx, sy; int b1, b3, i, l; MP_DIGITS(&k) = 0; MP_DIGITS(&k3) = 0; MP_DIGITS(&qx) = 0; MP_DIGITS(&qy) = 0; MP_DIGITS(&sx) = 0; MP_DIGITS(&sy) = 0; MP_CHECKOK(mp_init(&k)); MP_CHECKOK(mp_init(&k3)); MP_CHECKOK(mp_init(&qx)); MP_CHECKOK(mp_init(&qy)); MP_CHECKOK(mp_init(&sx)); MP_CHECKOK(mp_init(&sy)); /* if n = 0 then r = inf */ if (mp_cmp_z(n) == 0) { mp_zero(rx); mp_zero(ry); res = MP_OKAY; goto CLEANUP; } /* Q = P, k = n */ MP_CHECKOK(mp_copy(px, &qx)); MP_CHECKOK(mp_copy(py, &qy)); MP_CHECKOK(mp_copy(n, &k)); /* if n < 0 then Q = -Q, k = -k */ if (mp_cmp_z(n) < 0) { MP_CHECKOK(group->meth->field_neg(&qy, &qy, group->meth)); MP_CHECKOK(mp_neg(&k, &k)); } #ifdef ECL_DEBUG /* basic double and add method */ l = mpl_significant_bits(&k) - 1; MP_CHECKOK(mp_copy(&qx, &sx)); MP_CHECKOK(mp_copy(&qy, &sy)); for (i = l - 1; i >= 0; i--) { /* S = 2S */ MP_CHECKOK(group->point_dbl(&sx, &sy, &sx, &sy, group)); /* if k_i = 1, then S = S + Q */ if (mpl_get_bit(&k, i) != 0) { MP_CHECKOK(group->point_add(&sx, &sy, &qx, &qy, &sx, &sy, group)); } } #else /* double and add/subtract method from \ * standard */ /* k3 = 3 * k */ MP_CHECKOK(mp_set_int(&k3, 3)); MP_CHECKOK(mp_mul(&k, &k3, &k3)); /* S = Q */ MP_CHECKOK(mp_copy(&qx, &sx)); MP_CHECKOK(mp_copy(&qy, &sy)); /* l = index of high order bit in binary representation of 3*k */ l = mpl_significant_bits(&k3) - 1; /* for i = l-1 downto 1 */ for (i = l - 1; i >= 1; i--) { /* S = 2S */ MP_CHECKOK(group->point_dbl(&sx, &sy, &sx, &sy, group)); b3 = MP_GET_BIT(&k3, i); b1 = MP_GET_BIT(&k, i); /* if k3_i = 1 and k_i = 0, then S = S + Q */ if ((b3 == 1) && (b1 == 0)) { MP_CHECKOK(group->point_add(&sx, &sy, &qx, &qy, &sx, &sy, group)); /* if k3_i = 0 and k_i = 1, then S = S - Q */ } else if ((b3 == 0) && (b1 == 1)) { MP_CHECKOK(group->point_sub(&sx, &sy, &qx, &qy, &sx, &sy, group)); } } #endif /* output S */ MP_CHECKOK(mp_copy(&sx, rx)); MP_CHECKOK(mp_copy(&sy, ry)); CLEANUP: mp_clear(&k); mp_clear(&k3); mp_clear(&qx); mp_clear(&qy); mp_clear(&sx); mp_clear(&sy); return res; }
/* Computes R = 2P. Elliptic curve points P and R can be identical. Uses * Jacobian coordinates. * * Assumes input is already field-encoded using field_enc, and returns * output that is still field-encoded. * * This routine implements Point Doubling in the Jacobian Projective * space as described in the paper "Efficient elliptic curve exponentiation * using mixed coordinates", by H. Cohen, A Miyaji, T. Ono. */ mp_err ec_GFp_pt_dbl_jac(const mp_int *px, const mp_int *py, const mp_int *pz, mp_int *rx, mp_int *ry, mp_int *rz, const ECGroup *group) { mp_err res = MP_OKAY; mp_int t0, t1, M, S; MP_DIGITS(&t0) = 0; MP_DIGITS(&t1) = 0; MP_DIGITS(&M) = 0; MP_DIGITS(&S) = 0; MP_CHECKOK(mp_init(&t0)); MP_CHECKOK(mp_init(&t1)); MP_CHECKOK(mp_init(&M)); MP_CHECKOK(mp_init(&S)); /* P == inf or P == -P */ if (ec_GFp_pt_is_inf_jac(px, py, pz) == MP_YES || mp_cmp_z(py) == 0) { MP_CHECKOK(ec_GFp_pt_set_inf_jac(rx, ry, rz)); goto CLEANUP; } if (mp_cmp_d(pz, 1) == 0) { /* M = 3 * px^2 + a */ MP_CHECKOK(group->meth->field_sqr(px, &t0, group->meth)); MP_CHECKOK(group->meth->field_add(&t0, &t0, &M, group->meth)); MP_CHECKOK(group->meth->field_add(&t0, &M, &t0, group->meth)); MP_CHECKOK(group->meth-> field_add(&t0, &group->curvea, &M, group->meth)); } else if (MP_SIGN(&group->curvea) == MP_NEG && MP_USED(&group->curvea) == 1 && MP_DIGIT(&group->curvea, 0) == 3) { /* M = 3 * (px + pz^2) * (px - pz^2) */ MP_CHECKOK(group->meth->field_sqr(pz, &M, group->meth)); MP_CHECKOK(group->meth->field_add(px, &M, &t0, group->meth)); MP_CHECKOK(group->meth->field_sub(px, &M, &t1, group->meth)); MP_CHECKOK(group->meth->field_mul(&t0, &t1, &M, group->meth)); MP_CHECKOK(group->meth->field_add(&M, &M, &t0, group->meth)); MP_CHECKOK(group->meth->field_add(&t0, &M, &M, group->meth)); } else { /* M = 3 * (px^2) + a * (pz^4) */ MP_CHECKOK(group->meth->field_sqr(px, &t0, group->meth)); MP_CHECKOK(group->meth->field_add(&t0, &t0, &M, group->meth)); MP_CHECKOK(group->meth->field_add(&t0, &M, &t0, group->meth)); MP_CHECKOK(group->meth->field_sqr(pz, &M, group->meth)); MP_CHECKOK(group->meth->field_sqr(&M, &M, group->meth)); MP_CHECKOK(group->meth-> field_mul(&M, &group->curvea, &M, group->meth)); MP_CHECKOK(group->meth->field_add(&M, &t0, &M, group->meth)); } /* rz = 2 * py * pz */ /* t0 = 4 * py^2 */ if (mp_cmp_d(pz, 1) == 0) { MP_CHECKOK(group->meth->field_add(py, py, rz, group->meth)); MP_CHECKOK(group->meth->field_sqr(rz, &t0, group->meth)); } else { MP_CHECKOK(group->meth->field_add(py, py, &t0, group->meth)); MP_CHECKOK(group->meth->field_mul(&t0, pz, rz, group->meth)); MP_CHECKOK(group->meth->field_sqr(&t0, &t0, group->meth)); } /* S = 4 * px * py^2 = px * (2 * py)^2 */ MP_CHECKOK(group->meth->field_mul(px, &t0, &S, group->meth)); /* rx = M^2 - 2 * S */ MP_CHECKOK(group->meth->field_add(&S, &S, &t1, group->meth)); MP_CHECKOK(group->meth->field_sqr(&M, rx, group->meth)); MP_CHECKOK(group->meth->field_sub(rx, &t1, rx, group->meth)); /* ry = M * (S - rx) - 8 * py^4 */ MP_CHECKOK(group->meth->field_sqr(&t0, &t1, group->meth)); if (mp_isodd(&t1)) { MP_CHECKOK(mp_add(&t1, &group->meth->irr, &t1)); } MP_CHECKOK(mp_div_2(&t1, &t1)); MP_CHECKOK(group->meth->field_sub(&S, rx, &S, group->meth)); MP_CHECKOK(group->meth->field_mul(&M, &S, &M, group->meth)); MP_CHECKOK(group->meth->field_sub(&M, &t1, ry, group->meth)); CLEANUP: mp_clear(&t0); mp_clear(&t1); mp_clear(&M); mp_clear(&S); return res; }
/* signature is caller-supplied buffer of at least 20 bytes. ** On input, signature->len == size of buffer to hold signature. ** digest->len == size of digest. */ SECStatus DSA_VerifyDigest(DSAPublicKey *key, const SECItem *signature, const SECItem *digest) { /* FIPS-compliance dictates that digest is a SHA hash. */ mp_int p, q, g; /* PQG parameters */ mp_int r_, s_; /* tuple (r', s') is received signature) */ mp_int u1, u2, v, w; /* intermediate values used in verification */ mp_int y; /* public key */ mp_err err; int dsa_subprime_len, dsa_signature_len, offset; SECItem localDigest; unsigned char localDigestData[DSA_MAX_SUBPRIME_LEN]; SECStatus verified = SECFailure; /* Check args. */ if (!key || !signature || !digest ) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } dsa_subprime_len = PQG_GetLength(&key->params.subPrime); dsa_signature_len = dsa_subprime_len*2; if ((signature->len != dsa_signature_len) || (digest->len > HASH_LENGTH_MAX) || (digest->len < SHA1_LENGTH)) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } /* DSA accepts digests not equal to dsa_subprime_len, if the * digests are greater, than they are truncated to the size of * dsa_subprime_len, using the left most bits. If they are less * then they are padded on the left.*/ PORT_Memset(localDigestData, 0, dsa_subprime_len); offset = (digest->len < dsa_subprime_len) ? (dsa_subprime_len - digest->len) : 0; PORT_Memcpy(localDigestData+offset, digest->data, dsa_subprime_len - offset); localDigest.data = localDigestData; localDigest.len = dsa_subprime_len; /* Initialize MPI integers. */ MP_DIGITS(&p) = 0; MP_DIGITS(&q) = 0; MP_DIGITS(&g) = 0; MP_DIGITS(&y) = 0; MP_DIGITS(&r_) = 0; MP_DIGITS(&s_) = 0; MP_DIGITS(&u1) = 0; MP_DIGITS(&u2) = 0; MP_DIGITS(&v) = 0; MP_DIGITS(&w) = 0; CHECK_MPI_OK( mp_init(&p) ); CHECK_MPI_OK( mp_init(&q) ); CHECK_MPI_OK( mp_init(&g) ); CHECK_MPI_OK( mp_init(&y) ); CHECK_MPI_OK( mp_init(&r_) ); CHECK_MPI_OK( mp_init(&s_) ); CHECK_MPI_OK( mp_init(&u1) ); CHECK_MPI_OK( mp_init(&u2) ); CHECK_MPI_OK( mp_init(&v) ); CHECK_MPI_OK( mp_init(&w) ); /* ** Convert stored PQG and public key into MPI integers. */ SECITEM_TO_MPINT(key->params.prime, &p); SECITEM_TO_MPINT(key->params.subPrime, &q); SECITEM_TO_MPINT(key->params.base, &g); SECITEM_TO_MPINT(key->publicValue, &y); /* ** Convert received signature (r', s') into MPI integers. */ OCTETS_TO_MPINT(signature->data, &r_, dsa_subprime_len); OCTETS_TO_MPINT(signature->data + dsa_subprime_len, &s_, dsa_subprime_len); /* ** Verify that 0 < r' < q and 0 < s' < q */ if (mp_cmp_z(&r_) <= 0 || mp_cmp_z(&s_) <= 0 || mp_cmp(&r_, &q) >= 0 || mp_cmp(&s_, &q) >= 0) { /* err is zero here. */ PORT_SetError(SEC_ERROR_BAD_SIGNATURE); goto cleanup; /* will return verified == SECFailure */ } /* ** FIPS 186-1, Section 6, Step 1 ** ** w = (s')**-1 mod q */ CHECK_MPI_OK( mp_invmod(&s_, &q, &w) ); /* w = (s')**-1 mod q */ /* ** FIPS 186-1, Section 6, Step 2 ** ** u1 = ((Hash(M')) * w) mod q */ SECITEM_TO_MPINT(localDigest, &u1); /* u1 = HASH(M') */ CHECK_MPI_OK( mp_mulmod(&u1, &w, &q, &u1) ); /* u1 = u1 * w mod q */ /* ** FIPS 186-1, Section 6, Step 3 ** ** u2 = ((r') * w) mod q */ CHECK_MPI_OK( mp_mulmod(&r_, &w, &q, &u2) ); /* ** FIPS 186-1, Section 6, Step 4 ** ** v = ((g**u1 * y**u2) mod p) mod q */ CHECK_MPI_OK( mp_exptmod(&g, &u1, &p, &g) ); /* g = g**u1 mod p */ CHECK_MPI_OK( mp_exptmod(&y, &u2, &p, &y) ); /* y = y**u2 mod p */ CHECK_MPI_OK( mp_mulmod(&g, &y, &p, &v) ); /* v = g * y mod p */ CHECK_MPI_OK( mp_mod(&v, &q, &v) ); /* v = v mod q */ /* ** Verification: v == r' */ if (mp_cmp(&v, &r_)) { PORT_SetError(SEC_ERROR_BAD_SIGNATURE); verified = SECFailure; /* Signature failed to verify. */ } else { verified = SECSuccess; /* Signature verified. */ } cleanup: mp_clear(&p); mp_clear(&q); mp_clear(&g); mp_clear(&y); mp_clear(&r_); mp_clear(&s_); mp_clear(&u1); mp_clear(&u2); mp_clear(&v); mp_clear(&w); if (err) { translate_mpi_error(err); } return verified; }
/* Checks if point P(px, py, pz) is at infinity. Uses Jacobian * coordinates. */ mp_err ec_GFp_pt_is_inf_jac(const mp_int *px, const mp_int *py, const mp_int *pz) { return mp_cmp_z(pz); }
/* Uses mixed Jacobian-affine coordinates to perform a point * multiplication: R = n * P, n scalar. Uses mixed Jacobian-affine * coordinates (Jacobian coordinates for doubles and affine coordinates * for additions; based on recommendation from Brown et al.). Not very * time efficient but quite space efficient, no precomputation needed. * group contains the elliptic curve coefficients and the prime that * determines the field GFp. Elliptic curve points P and R can be * identical. Performs calculations in floating point number format, since * this is faster than the integer operations on the ULTRASPARC III. * Uses left-to-right binary method (double & add) (algorithm 9) for * scalar-point multiplication from Brown, Hankerson, Lopez, Menezes. * Software Implementation of the NIST Elliptic Curves Over Prime Fields. */ mp_err ec_GFp_pt_mul_jac_fp(const mp_int *n, const mp_int *px, const mp_int *py, mp_int *rx, mp_int *ry, const ECGroup *ecgroup) { mp_err res; mp_int sx, sy, sz; ecfp_aff_pt p; ecfp_jac_pt r; EC_group_fp *group = (EC_group_fp *) ecgroup->extra1; int i, l; MP_DIGITS(&sx) = 0; MP_DIGITS(&sy) = 0; MP_DIGITS(&sz) = 0; MP_CHECKOK(mp_init(&sx)); MP_CHECKOK(mp_init(&sy)); MP_CHECKOK(mp_init(&sz)); /* if n = 0 then r = inf */ if (mp_cmp_z(n) == 0) { mp_zero(rx); mp_zero(ry); res = MP_OKAY; goto CLEANUP; /* if n < 0 then out of range error */ } else if (mp_cmp_z(n) < 0) { res = MP_RANGE; goto CLEANUP; } /* Convert from integer to floating point */ ecfp_i2fp(p.x, px, ecgroup); ecfp_i2fp(p.y, py, ecgroup); ecfp_i2fp(group->curvea, &(ecgroup->curvea), ecgroup); /* Init r to point at infinity */ for (i = 0; i < group->numDoubles; i++) { r.z[i] = 0; } /* double and add method */ l = mpl_significant_bits(n) - 1; for (i = l; i >= 0; i--) { /* R = 2R */ group->pt_dbl_jac(&r, &r, group); /* if n_i = 1, then R = R + Q */ if (MP_GET_BIT(n, i) != 0) { group->pt_add_jac_aff(&r, &p, &r, group); } } /* Convert from floating point to integer */ ecfp_fp2i(&sx, r.x, ecgroup); ecfp_fp2i(&sy, r.y, ecgroup); ecfp_fp2i(&sz, r.z, ecgroup); /* convert result R to affine coordinates */ MP_CHECKOK(ec_GFp_pt_jac2aff(&sx, &sy, &sz, rx, ry, ecgroup)); CLEANUP: mp_clear(&sx); mp_clear(&sy); mp_clear(&sz); return res; }
/* ** Checks the signature on the given digest using the key provided. */ SECStatus ECDSA_VerifyDigest(ECPublicKey *key, const SECItem *signature, const SECItem *digest) { SECStatus rv = SECFailure; #ifndef NSS_DISABLE_ECC mp_int r_, s_; /* tuple (r', s') is received signature) */ mp_int c, u1, u2, v; /* intermediate values used in verification */ mp_int x1; mp_int n; mp_err err = MP_OKAY; ECParams *ecParams = NULL; SECItem pointC = { siBuffer, NULL, 0 }; int slen; /* length in bytes of a half signature (r or s) */ int flen; /* length in bytes of the field size */ unsigned olen; /* length in bytes of the base point order */ unsigned obits; /* length in bits of the base point order */ #if EC_DEBUG char mpstr[256]; printf("ECDSA verification called\n"); #endif /* Initialize MPI integers. */ /* must happen before the first potential call to cleanup */ MP_DIGITS(&r_) = 0; MP_DIGITS(&s_) = 0; MP_DIGITS(&c) = 0; MP_DIGITS(&u1) = 0; MP_DIGITS(&u2) = 0; MP_DIGITS(&x1) = 0; MP_DIGITS(&v) = 0; MP_DIGITS(&n) = 0; /* Check args */ if (!key || !signature || !digest) { PORT_SetError(SEC_ERROR_INVALID_ARGS); goto cleanup; } ecParams = &(key->ecParams); flen = (ecParams->fieldID.size + 7) >> 3; olen = ecParams->order.len; if (signature->len == 0 || signature->len%2 != 0 || signature->len > 2*olen) { PORT_SetError(SEC_ERROR_INPUT_LEN); goto cleanup; } slen = signature->len/2; SECITEM_AllocItem(NULL, &pointC, 2*flen + 1); if (pointC.data == NULL) goto cleanup; CHECK_MPI_OK( mp_init(&r_) ); CHECK_MPI_OK( mp_init(&s_) ); CHECK_MPI_OK( mp_init(&c) ); CHECK_MPI_OK( mp_init(&u1) ); CHECK_MPI_OK( mp_init(&u2) ); CHECK_MPI_OK( mp_init(&x1) ); CHECK_MPI_OK( mp_init(&v) ); CHECK_MPI_OK( mp_init(&n) ); /* ** Convert received signature (r', s') into MPI integers. */ CHECK_MPI_OK( mp_read_unsigned_octets(&r_, signature->data, slen) ); CHECK_MPI_OK( mp_read_unsigned_octets(&s_, signature->data + slen, slen) ); /* ** ANSI X9.62, Section 5.4.2, Steps 1 and 2 ** ** Verify that 0 < r' < n and 0 < s' < n */ SECITEM_TO_MPINT(ecParams->order, &n); if (mp_cmp_z(&r_) <= 0 || mp_cmp_z(&s_) <= 0 || mp_cmp(&r_, &n) >= 0 || mp_cmp(&s_, &n) >= 0) { PORT_SetError(SEC_ERROR_BAD_SIGNATURE); goto cleanup; /* will return rv == SECFailure */ } /* ** ANSI X9.62, Section 5.4.2, Step 3 ** ** c = (s')**-1 mod n */ CHECK_MPI_OK( mp_invmod(&s_, &n, &c) ); /* c = (s')**-1 mod n */ /* ** ANSI X9.62, Section 5.4.2, Step 4 ** ** u1 = ((HASH(M')) * c) mod n */ SECITEM_TO_MPINT(*digest, &u1); /* u1 = HASH(M) */ /* In the definition of EC signing, digests are truncated * to the length of n in bits. * (see SEC 1 "Elliptic Curve Digit Signature Algorithm" section 4.1.*/ CHECK_MPI_OK( (obits = mpl_significant_bits(&n)) ); if (digest->len*8 > obits) { /* u1 = HASH(M') */ mpl_rsh(&u1,&u1,digest->len*8 - obits); } #if EC_DEBUG mp_todecimal(&r_, mpstr); printf("r_: %s (dec)\n", mpstr); mp_todecimal(&s_, mpstr); printf("s_: %s (dec)\n", mpstr); mp_todecimal(&c, mpstr); printf("c : %s (dec)\n", mpstr); mp_todecimal(&u1, mpstr); printf("digest: %s (dec)\n", mpstr); #endif CHECK_MPI_OK( mp_mulmod(&u1, &c, &n, &u1) ); /* u1 = u1 * c mod n */ /* ** ANSI X9.62, Section 5.4.2, Step 4 ** ** u2 = ((r') * c) mod n */ CHECK_MPI_OK( mp_mulmod(&r_, &c, &n, &u2) ); /* ** ANSI X9.62, Section 5.4.3, Step 1 ** ** Compute u1*G + u2*Q ** Here, A = u1.G B = u2.Q and C = A + B ** If the result, C, is the point at infinity, reject the signature */ if (ec_points_mul(ecParams, &u1, &u2, &key->publicValue, &pointC) != SECSuccess) { rv = SECFailure; goto cleanup; } if (ec_point_at_infinity(&pointC)) { PORT_SetError(SEC_ERROR_BAD_SIGNATURE); rv = SECFailure; goto cleanup; } CHECK_MPI_OK( mp_read_unsigned_octets(&x1, pointC.data + 1, flen) ); /* ** ANSI X9.62, Section 5.4.4, Step 2 ** ** v = x1 mod n */ CHECK_MPI_OK( mp_mod(&x1, &n, &v) ); #if EC_DEBUG mp_todecimal(&r_, mpstr); printf("r_: %s (dec)\n", mpstr); mp_todecimal(&v, mpstr); printf("v : %s (dec)\n", mpstr); #endif /* ** ANSI X9.62, Section 5.4.4, Step 3 ** ** Verification: v == r' */ if (mp_cmp(&v, &r_)) { PORT_SetError(SEC_ERROR_BAD_SIGNATURE); rv = SECFailure; /* Signature failed to verify. */ } else { rv = SECSuccess; /* Signature verified. */ } #if EC_DEBUG mp_todecimal(&u1, mpstr); printf("u1: %s (dec)\n", mpstr); mp_todecimal(&u2, mpstr); printf("u2: %s (dec)\n", mpstr); mp_tohex(&x1, mpstr); printf("x1: %s\n", mpstr); mp_todecimal(&v, mpstr); printf("v : %s (dec)\n", mpstr); #endif cleanup: mp_clear(&r_); mp_clear(&s_); mp_clear(&c); mp_clear(&u1); mp_clear(&u2); mp_clear(&x1); mp_clear(&v); mp_clear(&n); if (pointC.data) SECITEM_FreeItem(&pointC, PR_FALSE); if (err) { MP_TO_SEC_ERROR(err); rv = SECFailure; } #if EC_DEBUG printf("ECDSA verification %s\n", (rv == SECSuccess) ? "succeeded" : "failed"); #endif #else PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG); #endif /* NSS_DISABLE_ECC */ return rv; }
static SECStatus dsa_SignDigest(DSAPrivateKey *key, SECItem *signature, const SECItem *digest, const unsigned char *kb) { mp_int p, q, g; /* PQG parameters */ mp_int x, k; /* private key & pseudo-random integer */ mp_int r, s; /* tuple (r, s) is signature) */ mp_err err = MP_OKAY; SECStatus rv = SECSuccess; unsigned int dsa_subprime_len, dsa_signature_len, offset; SECItem localDigest; unsigned char localDigestData[DSA_MAX_SUBPRIME_LEN]; /* FIPS-compliance dictates that digest is a SHA hash. */ /* Check args. */ if (!key || !signature || !digest) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } dsa_subprime_len = PQG_GetLength(&key->params.subPrime); dsa_signature_len = dsa_subprime_len*2; if ((signature->len < dsa_signature_len) || (digest->len > HASH_LENGTH_MAX) || (digest->len < SHA1_LENGTH)) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } /* DSA accepts digests not equal to dsa_subprime_len, if the * digests are greater, then they are truncated to the size of * dsa_subprime_len, using the left most bits. If they are less * then they are padded on the left.*/ PORT_Memset(localDigestData, 0, dsa_subprime_len); offset = (digest->len < dsa_subprime_len) ? (dsa_subprime_len - digest->len) : 0; PORT_Memcpy(localDigestData+offset, digest->data, dsa_subprime_len - offset); localDigest.data = localDigestData; localDigest.len = dsa_subprime_len; /* Initialize MPI integers. */ MP_DIGITS(&p) = 0; MP_DIGITS(&q) = 0; MP_DIGITS(&g) = 0; MP_DIGITS(&x) = 0; MP_DIGITS(&k) = 0; MP_DIGITS(&r) = 0; MP_DIGITS(&s) = 0; CHECK_MPI_OK( mp_init(&p) ); CHECK_MPI_OK( mp_init(&q) ); CHECK_MPI_OK( mp_init(&g) ); CHECK_MPI_OK( mp_init(&x) ); CHECK_MPI_OK( mp_init(&k) ); CHECK_MPI_OK( mp_init(&r) ); CHECK_MPI_OK( mp_init(&s) ); /* ** Convert stored PQG and private key into MPI integers. */ SECITEM_TO_MPINT(key->params.prime, &p); SECITEM_TO_MPINT(key->params.subPrime, &q); SECITEM_TO_MPINT(key->params.base, &g); SECITEM_TO_MPINT(key->privateValue, &x); OCTETS_TO_MPINT(kb, &k, dsa_subprime_len); /* ** FIPS 186-1, Section 5, Step 1 ** ** r = (g**k mod p) mod q */ CHECK_MPI_OK( mp_exptmod(&g, &k, &p, &r) ); /* r = g**k mod p */ CHECK_MPI_OK( mp_mod(&r, &q, &r) ); /* r = r mod q */ /* ** FIPS 186-1, Section 5, Step 2 ** ** s = (k**-1 * (HASH(M) + x*r)) mod q */ SECITEM_TO_MPINT(localDigest, &s); /* s = HASH(M) */ CHECK_MPI_OK( mp_invmod(&k, &q, &k) ); /* k = k**-1 mod q */ CHECK_MPI_OK( mp_mulmod(&x, &r, &q, &x) ); /* x = x * r mod q */ CHECK_MPI_OK( mp_addmod(&s, &x, &q, &s) ); /* s = s + x mod q */ CHECK_MPI_OK( mp_mulmod(&s, &k, &q, &s) ); /* s = s * k mod q */ /* ** verify r != 0 and s != 0 ** mentioned as optional in FIPS 186-1. */ if (mp_cmp_z(&r) == 0 || mp_cmp_z(&s) == 0) { PORT_SetError(SEC_ERROR_NEED_RANDOM); rv = SECFailure; goto cleanup; } /* ** Step 4 ** ** Signature is tuple (r, s) */ err = mp_to_fixlen_octets(&r, signature->data, dsa_subprime_len); if (err < 0) goto cleanup; err = mp_to_fixlen_octets(&s, signature->data + dsa_subprime_len, dsa_subprime_len); if (err < 0) goto cleanup; err = MP_OKAY; signature->len = dsa_signature_len; cleanup: PORT_Memset(localDigestData, 0, DSA_MAX_SUBPRIME_LEN); mp_clear(&p); mp_clear(&q); mp_clear(&g); mp_clear(&x); mp_clear(&k); mp_clear(&r); mp_clear(&s); if (err) { translate_mpi_error(err); rv = SECFailure; } return rv; }