1/* ====================================================================
2 * Copyright (c) 1998-2005 The OpenSSL Project.  All rights reserved.
3 *
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions
6 * are met:
7 *
8 * 1. Redistributions of source code must retain the above copyright
9 *    notice, this list of conditions and the following disclaimer.
10 *
11 * 2. Redistributions in binary form must reproduce the above copyright
12 *    notice, this list of conditions and the following disclaimer in
13 *    the documentation and/or other materials provided with the
14 *    distribution.
15 *
16 * 3. All advertising materials mentioning features or use of this
17 *    software must display the following acknowledgment:
18 *    "This product includes software developed by the OpenSSL Project
19 *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
20 *
21 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
22 *    endorse or promote products derived from this software without
23 *    prior written permission. For written permission, please contact
24 *    openssl-core@OpenSSL.org.
25 *
26 * 5. Products derived from this software may not be called "OpenSSL"
27 *    nor may "OpenSSL" appear in their names without prior written
28 *    permission of the OpenSSL Project.
29 *
30 * 6. Redistributions of any form whatsoever must retain the following
31 *    acknowledgment:
32 *    "This product includes software developed by the OpenSSL Project
33 *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
34 *
35 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
36 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
37 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
38 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
39 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
40 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
41 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
42 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
43 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
44 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
45 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
46 * OF THE POSSIBILITY OF SUCH DAMAGE.
47 * ====================================================================
48 *
49 * This product includes cryptographic software written by Eric Young
50 * (eay@cryptsoft.com).  This product includes software written by Tim
51 * Hudson (tjh@cryptsoft.com). */
52
53#include <openssl/ecdsa.h>
54
55#include <limits.h>
56#include <string.h>
57
58#include <openssl/bn.h>
59#include <openssl/bytestring.h>
60#include <openssl/err.h>
61#include <openssl/ec_key.h>
62#include <openssl/mem.h>
63
64#include "../bytestring/internal.h"
65#include "../fipsmodule/ec/internal.h"
66#include "../internal.h"
67
68
69int ECDSA_sign(int type, const uint8_t *digest, size_t digest_len, uint8_t *sig,
70               unsigned int *sig_len, const EC_KEY *eckey) {
71  if (eckey->ecdsa_meth && eckey->ecdsa_meth->sign) {
72    return eckey->ecdsa_meth->sign(digest, digest_len, sig, sig_len,
73                                   (EC_KEY*) eckey /* cast away const */);
74  }
75
76  return ECDSA_sign_ex(type, digest, digest_len, sig, sig_len, NULL, NULL,
77                       eckey);
78}
79
80int ECDSA_sign_ex(int type, const uint8_t *digest, size_t digest_len,
81                  uint8_t *sig, unsigned int *sig_len, const BIGNUM *kinv,
82                  const BIGNUM *r, const EC_KEY *eckey) {
83  int ret = 0;
84  ECDSA_SIG *s = NULL;
85
86  if (eckey->ecdsa_meth && eckey->ecdsa_meth->sign) {
87    OPENSSL_PUT_ERROR(ECDSA, ECDSA_R_NOT_IMPLEMENTED);
88    *sig_len = 0;
89    goto err;
90  }
91
92  s = ECDSA_do_sign_ex(digest, digest_len, kinv, r, eckey);
93  if (s == NULL) {
94    *sig_len = 0;
95    goto err;
96  }
97
98  CBB cbb;
99  CBB_zero(&cbb);
100  size_t len;
101  if (!CBB_init_fixed(&cbb, sig, ECDSA_size(eckey)) ||
102      !ECDSA_SIG_marshal(&cbb, s) ||
103      !CBB_finish(&cbb, NULL, &len)) {
104    OPENSSL_PUT_ERROR(ECDSA, ECDSA_R_ENCODE_ERROR);
105    CBB_cleanup(&cbb);
106    *sig_len = 0;
107    goto err;
108  }
109  *sig_len = (unsigned)len;
110  ret = 1;
111
112err:
113  ECDSA_SIG_free(s);
114  return ret;
115}
116
117int ECDSA_verify(int type, const uint8_t *digest, size_t digest_len,
118                 const uint8_t *sig, size_t sig_len, const EC_KEY *eckey) {
119  ECDSA_SIG *s;
120  int ret = 0;
121  uint8_t *der = NULL;
122
123  /* Decode the ECDSA signature. */
124  s = ECDSA_SIG_from_bytes(sig, sig_len);
125  if (s == NULL) {
126    goto err;
127  }
128
129  /* Defend against potential laxness in the DER parser. */
130  size_t der_len;
131  if (!ECDSA_SIG_to_bytes(&der, &der_len, s) ||
132      der_len != sig_len || OPENSSL_memcmp(sig, der, sig_len) != 0) {
133    /* This should never happen. crypto/bytestring is strictly DER. */
134    OPENSSL_PUT_ERROR(ECDSA, ERR_R_INTERNAL_ERROR);
135    goto err;
136  }
137
138  ret = ECDSA_do_verify(digest, digest_len, s, eckey);
139
140err:
141  OPENSSL_free(der);
142  ECDSA_SIG_free(s);
143  return ret;
144}
145
146
147size_t ECDSA_size(const EC_KEY *key) {
148  if (key == NULL) {
149    return 0;
150  }
151
152  size_t group_order_size;
153  if (key->ecdsa_meth && key->ecdsa_meth->group_order_size) {
154    group_order_size = key->ecdsa_meth->group_order_size(key);
155  } else {
156    const EC_GROUP *group = EC_KEY_get0_group(key);
157    if (group == NULL) {
158      return 0;
159    }
160
161    group_order_size = BN_num_bytes(EC_GROUP_get0_order(group));
162  }
163
164  return ECDSA_SIG_max_len(group_order_size);
165}
166
167ECDSA_SIG *ECDSA_SIG_parse(CBS *cbs) {
168  ECDSA_SIG *ret = ECDSA_SIG_new();
169  if (ret == NULL) {
170    return NULL;
171  }
172  CBS child;
173  if (!CBS_get_asn1(cbs, &child, CBS_ASN1_SEQUENCE) ||
174      !BN_parse_asn1_unsigned(&child, ret->r) ||
175      !BN_parse_asn1_unsigned(&child, ret->s) ||
176      CBS_len(&child) != 0) {
177    OPENSSL_PUT_ERROR(ECDSA, ECDSA_R_BAD_SIGNATURE);
178    ECDSA_SIG_free(ret);
179    return NULL;
180  }
181  return ret;
182}
183
184ECDSA_SIG *ECDSA_SIG_from_bytes(const uint8_t *in, size_t in_len) {
185  CBS cbs;
186  CBS_init(&cbs, in, in_len);
187  ECDSA_SIG *ret = ECDSA_SIG_parse(&cbs);
188  if (ret == NULL || CBS_len(&cbs) != 0) {
189    OPENSSL_PUT_ERROR(ECDSA, ECDSA_R_BAD_SIGNATURE);
190    ECDSA_SIG_free(ret);
191    return NULL;
192  }
193  return ret;
194}
195
196int ECDSA_SIG_marshal(CBB *cbb, const ECDSA_SIG *sig) {
197  CBB child;
198  if (!CBB_add_asn1(cbb, &child, CBS_ASN1_SEQUENCE) ||
199      !BN_marshal_asn1(&child, sig->r) ||
200      !BN_marshal_asn1(&child, sig->s) ||
201      !CBB_flush(cbb)) {
202    OPENSSL_PUT_ERROR(ECDSA, ECDSA_R_ENCODE_ERROR);
203    return 0;
204  }
205  return 1;
206}
207
208int ECDSA_SIG_to_bytes(uint8_t **out_bytes, size_t *out_len,
209                       const ECDSA_SIG *sig) {
210  CBB cbb;
211  CBB_zero(&cbb);
212  if (!CBB_init(&cbb, 0) ||
213      !ECDSA_SIG_marshal(&cbb, sig) ||
214      !CBB_finish(&cbb, out_bytes, out_len)) {
215    OPENSSL_PUT_ERROR(ECDSA, ECDSA_R_ENCODE_ERROR);
216    CBB_cleanup(&cbb);
217    return 0;
218  }
219  return 1;
220}
221
222/* der_len_len returns the number of bytes needed to represent a length of |len|
223 * in DER. */
224static size_t der_len_len(size_t len) {
225  if (len < 0x80) {
226    return 1;
227  }
228  size_t ret = 1;
229  while (len > 0) {
230    ret++;
231    len >>= 8;
232  }
233  return ret;
234}
235
236size_t ECDSA_SIG_max_len(size_t order_len) {
237  /* Compute the maximum length of an |order_len| byte integer. Defensively
238   * assume that the leading 0x00 is included. */
239  size_t integer_len = 1 /* tag */ + der_len_len(order_len + 1) + 1 + order_len;
240  if (integer_len < order_len) {
241    return 0;
242  }
243  /* An ECDSA signature is two INTEGERs. */
244  size_t value_len = 2 * integer_len;
245  if (value_len < integer_len) {
246    return 0;
247  }
248  /* Add the header. */
249  size_t ret = 1 /* tag */ + der_len_len(value_len) + value_len;
250  if (ret < value_len) {
251    return 0;
252  }
253  return ret;
254}
255
256ECDSA_SIG *d2i_ECDSA_SIG(ECDSA_SIG **out, const uint8_t **inp, long len) {
257  if (len < 0) {
258    return NULL;
259  }
260  CBS cbs;
261  CBS_init(&cbs, *inp, (size_t)len);
262  ECDSA_SIG *ret = ECDSA_SIG_parse(&cbs);
263  if (ret == NULL) {
264    return NULL;
265  }
266  if (out != NULL) {
267    ECDSA_SIG_free(*out);
268    *out = ret;
269  }
270  *inp = CBS_data(&cbs);
271  return ret;
272}
273
274int i2d_ECDSA_SIG(const ECDSA_SIG *sig, uint8_t **outp) {
275  CBB cbb;
276  if (!CBB_init(&cbb, 0) ||
277      !ECDSA_SIG_marshal(&cbb, sig)) {
278    CBB_cleanup(&cbb);
279    return -1;
280  }
281  return CBB_finish_i2d(&cbb, outp);
282}
283