1 // Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved.
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 // https://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14
15 #include <openssl/ecdsa.h>
16
17 #include <limits.h>
18 #include <string.h>
19
20 #include <openssl/bn.h>
21 #include <openssl/bytestring.h>
22 #include <openssl/ec_key.h>
23 #include <openssl/err.h>
24 #include <openssl/mem.h>
25
26 #include "../bytestring/internal.h"
27 #include "../fipsmodule/ecdsa/internal.h"
28 #include "../internal.h"
29
30
ecdsa_sig_from_fixed(const EC_KEY * key,const uint8_t * in,size_t len)31 static ECDSA_SIG *ecdsa_sig_from_fixed(const EC_KEY *key, const uint8_t *in,
32 size_t len) {
33 const EC_GROUP *group = EC_KEY_get0_group(key);
34 if (group == NULL) {
35 OPENSSL_PUT_ERROR(ECDSA, ERR_R_PASSED_NULL_PARAMETER);
36 return NULL;
37 }
38 size_t scalar_len = BN_num_bytes(EC_GROUP_get0_order(group));
39 if (len != 2 * scalar_len) {
40 OPENSSL_PUT_ERROR(ECDSA, ECDSA_R_BAD_SIGNATURE);
41 return NULL;
42 }
43 ECDSA_SIG *ret = ECDSA_SIG_new();
44 if (ret == NULL || !BN_bin2bn(in, scalar_len, ret->r) ||
45 !BN_bin2bn(in + scalar_len, scalar_len, ret->s)) {
46 ECDSA_SIG_free(ret);
47 return NULL;
48 }
49 return ret;
50 }
51
ecdsa_sig_to_fixed(const EC_KEY * key,uint8_t * out,size_t * out_len,size_t max_out,const ECDSA_SIG * sig)52 static int ecdsa_sig_to_fixed(const EC_KEY *key, uint8_t *out, size_t *out_len,
53 size_t max_out, const ECDSA_SIG *sig) {
54 const EC_GROUP *group = EC_KEY_get0_group(key);
55 if (group == NULL) {
56 OPENSSL_PUT_ERROR(ECDSA, ERR_R_PASSED_NULL_PARAMETER);
57 return 0;
58 }
59 size_t scalar_len = BN_num_bytes(EC_GROUP_get0_order(group));
60 if (max_out < 2 * scalar_len) {
61 OPENSSL_PUT_ERROR(EC, EC_R_BUFFER_TOO_SMALL);
62 return 0;
63 }
64 if (BN_is_negative(sig->r) || !BN_bn2bin_padded(out, scalar_len, sig->r) ||
65 BN_is_negative(sig->s) ||
66 !BN_bn2bin_padded(out + scalar_len, scalar_len, sig->s)) {
67 OPENSSL_PUT_ERROR(ECDSA, ECDSA_R_BAD_SIGNATURE);
68 return 0;
69 }
70 *out_len = 2 * scalar_len;
71 return 1;
72 }
73
ECDSA_sign(int type,const uint8_t * digest,size_t digest_len,uint8_t * sig,unsigned int * out_sig_len,const EC_KEY * eckey)74 int ECDSA_sign(int type, const uint8_t *digest, size_t digest_len, uint8_t *sig,
75 unsigned int *out_sig_len, const EC_KEY *eckey) {
76 if (eckey->ecdsa_meth && eckey->ecdsa_meth->sign) {
77 return eckey->ecdsa_meth->sign(digest, digest_len, sig, out_sig_len,
78 (EC_KEY *)eckey /* cast away const */);
79 }
80
81 *out_sig_len = 0;
82 uint8_t fixed[ECDSA_MAX_FIXED_LEN];
83 size_t fixed_len;
84 if (!ecdsa_sign_fixed(digest, digest_len, fixed, &fixed_len, sizeof(fixed),
85 eckey)) {
86 return 0;
87 }
88
89 // TODO(davidben): We can actually do better and go straight from the DER
90 // format to the fixed-width format without a malloc.
91 bssl::UniquePtr<ECDSA_SIG> s(ecdsa_sig_from_fixed(eckey, fixed, fixed_len));
92 if (s == nullptr) {
93 return 0;
94 }
95
96 CBB cbb;
97 CBB_init_fixed(&cbb, sig, ECDSA_size(eckey));
98 size_t len;
99 if (!ECDSA_SIG_marshal(&cbb, s.get()) || !CBB_finish(&cbb, nullptr, &len)) {
100 OPENSSL_PUT_ERROR(ECDSA, ECDSA_R_ENCODE_ERROR);
101 return 0;
102 }
103 *out_sig_len = static_cast<unsigned>(len);
104 return 1;
105 }
106
ECDSA_verify(int type,const uint8_t * digest,size_t digest_len,const uint8_t * sig,size_t sig_len,const EC_KEY * eckey)107 int ECDSA_verify(int type, const uint8_t *digest, size_t digest_len,
108 const uint8_t *sig, size_t sig_len, const EC_KEY *eckey) {
109 // Decode the ECDSA signature.
110 //
111 // TODO(davidben): We can actually do better and go straight from the DER
112 // format to the fixed-width format without a malloc.
113 int ret = 0;
114 uint8_t *der = nullptr;
115 bssl::UniquePtr<ECDSA_SIG> s(ECDSA_SIG_from_bytes(sig, sig_len));
116 if (s == nullptr) {
117 goto err;
118 }
119
120 // Defend against potential laxness in the DER parser.
121 size_t der_len;
122 if (!ECDSA_SIG_to_bytes(&der, &der_len, s.get()) || der_len != sig_len ||
123 OPENSSL_memcmp(sig, der, sig_len) != 0) {
124 // This should never happen. crypto/bytestring is strictly DER.
125 OPENSSL_PUT_ERROR(ECDSA, ERR_R_INTERNAL_ERROR);
126 goto err;
127 }
128
129 uint8_t fixed[ECDSA_MAX_FIXED_LEN];
130 size_t fixed_len;
131 ret = ecdsa_sig_to_fixed(eckey, fixed, &fixed_len, sizeof(fixed), s.get()) &&
132 ecdsa_verify_fixed(digest, digest_len, fixed, fixed_len, eckey);
133
134 err:
135 OPENSSL_free(der);
136 return ret;
137 }
138
139
ECDSA_size(const EC_KEY * key)140 size_t ECDSA_size(const EC_KEY *key) {
141 if (key == NULL) {
142 return 0;
143 }
144
145 const EC_GROUP *group = EC_KEY_get0_group(key);
146 if (group == NULL) {
147 return 0;
148 }
149
150 size_t group_order_size = BN_num_bytes(EC_GROUP_get0_order(group));
151 return ECDSA_SIG_max_len(group_order_size);
152 }
153
ECDSA_SIG_new(void)154 ECDSA_SIG *ECDSA_SIG_new(void) {
155 ECDSA_SIG *sig =
156 reinterpret_cast<ECDSA_SIG *>(OPENSSL_malloc(sizeof(ECDSA_SIG)));
157 if (sig == NULL) {
158 return NULL;
159 }
160 sig->r = BN_new();
161 sig->s = BN_new();
162 if (sig->r == NULL || sig->s == NULL) {
163 ECDSA_SIG_free(sig);
164 return NULL;
165 }
166 return sig;
167 }
168
ECDSA_SIG_free(ECDSA_SIG * sig)169 void ECDSA_SIG_free(ECDSA_SIG *sig) {
170 if (sig == NULL) {
171 return;
172 }
173
174 BN_free(sig->r);
175 BN_free(sig->s);
176 OPENSSL_free(sig);
177 }
178
ECDSA_SIG_get0_r(const ECDSA_SIG * sig)179 const BIGNUM *ECDSA_SIG_get0_r(const ECDSA_SIG *sig) { return sig->r; }
180
ECDSA_SIG_get0_s(const ECDSA_SIG * sig)181 const BIGNUM *ECDSA_SIG_get0_s(const ECDSA_SIG *sig) { return sig->s; }
182
ECDSA_SIG_get0(const ECDSA_SIG * sig,const BIGNUM ** out_r,const BIGNUM ** out_s)183 void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **out_r,
184 const BIGNUM **out_s) {
185 if (out_r != NULL) {
186 *out_r = sig->r;
187 }
188 if (out_s != NULL) {
189 *out_s = sig->s;
190 }
191 }
192
ECDSA_SIG_set0(ECDSA_SIG * sig,BIGNUM * r,BIGNUM * s)193 int ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s) {
194 if (r == NULL || s == NULL) {
195 return 0;
196 }
197 BN_free(sig->r);
198 BN_free(sig->s);
199 sig->r = r;
200 sig->s = s;
201 return 1;
202 }
203
ECDSA_do_verify(const uint8_t * digest,size_t digest_len,const ECDSA_SIG * sig,const EC_KEY * eckey)204 int ECDSA_do_verify(const uint8_t *digest, size_t digest_len,
205 const ECDSA_SIG *sig, const EC_KEY *eckey) {
206 uint8_t fixed[ECDSA_MAX_FIXED_LEN];
207 size_t fixed_len;
208 return ecdsa_sig_to_fixed(eckey, fixed, &fixed_len, sizeof(fixed), sig) &&
209 ecdsa_verify_fixed(digest, digest_len, fixed, fixed_len, eckey);
210 }
211
212 // This function is only exported for testing and is not called in production
213 // code.
ECDSA_sign_with_nonce_and_leak_private_key_for_testing(const uint8_t * digest,size_t digest_len,const EC_KEY * eckey,const uint8_t * nonce,size_t nonce_len)214 ECDSA_SIG *ECDSA_sign_with_nonce_and_leak_private_key_for_testing(
215 const uint8_t *digest, size_t digest_len, const EC_KEY *eckey,
216 const uint8_t *nonce, size_t nonce_len) {
217 uint8_t sig[ECDSA_MAX_FIXED_LEN];
218 size_t sig_len;
219 if (!ecdsa_sign_fixed_with_nonce_for_known_answer_test(
220 digest, digest_len, sig, &sig_len, sizeof(sig), eckey, nonce,
221 nonce_len)) {
222 return NULL;
223 }
224
225 return ecdsa_sig_from_fixed(eckey, sig, sig_len);
226 }
227
ECDSA_do_sign(const uint8_t * digest,size_t digest_len,const EC_KEY * eckey)228 ECDSA_SIG *ECDSA_do_sign(const uint8_t *digest, size_t digest_len,
229 const EC_KEY *eckey) {
230 uint8_t sig[ECDSA_MAX_FIXED_LEN];
231 size_t sig_len;
232 if (!ecdsa_sign_fixed(digest, digest_len, sig, &sig_len, sizeof(sig),
233 eckey)) {
234 return NULL;
235 }
236
237 return ecdsa_sig_from_fixed(eckey, sig, sig_len);
238 }
239
ECDSA_SIG_parse(CBS * cbs)240 ECDSA_SIG *ECDSA_SIG_parse(CBS *cbs) {
241 ECDSA_SIG *ret = ECDSA_SIG_new();
242 if (ret == NULL) {
243 return NULL;
244 }
245 CBS child;
246 if (!CBS_get_asn1(cbs, &child, CBS_ASN1_SEQUENCE) ||
247 !BN_parse_asn1_unsigned(&child, ret->r) ||
248 !BN_parse_asn1_unsigned(&child, ret->s) || CBS_len(&child) != 0) {
249 OPENSSL_PUT_ERROR(ECDSA, ECDSA_R_BAD_SIGNATURE);
250 ECDSA_SIG_free(ret);
251 return NULL;
252 }
253 return ret;
254 }
255
ECDSA_SIG_from_bytes(const uint8_t * in,size_t in_len)256 ECDSA_SIG *ECDSA_SIG_from_bytes(const uint8_t *in, size_t in_len) {
257 CBS cbs;
258 CBS_init(&cbs, in, in_len);
259 ECDSA_SIG *ret = ECDSA_SIG_parse(&cbs);
260 if (ret == NULL || CBS_len(&cbs) != 0) {
261 OPENSSL_PUT_ERROR(ECDSA, ECDSA_R_BAD_SIGNATURE);
262 ECDSA_SIG_free(ret);
263 return NULL;
264 }
265 return ret;
266 }
267
ECDSA_SIG_marshal(CBB * cbb,const ECDSA_SIG * sig)268 int ECDSA_SIG_marshal(CBB *cbb, const ECDSA_SIG *sig) {
269 CBB child;
270 if (!CBB_add_asn1(cbb, &child, CBS_ASN1_SEQUENCE) ||
271 !BN_marshal_asn1(&child, sig->r) || !BN_marshal_asn1(&child, sig->s) ||
272 !CBB_flush(cbb)) {
273 OPENSSL_PUT_ERROR(ECDSA, ECDSA_R_ENCODE_ERROR);
274 return 0;
275 }
276 return 1;
277 }
278
ECDSA_SIG_to_bytes(uint8_t ** out_bytes,size_t * out_len,const ECDSA_SIG * sig)279 int ECDSA_SIG_to_bytes(uint8_t **out_bytes, size_t *out_len,
280 const ECDSA_SIG *sig) {
281 CBB cbb;
282 CBB_zero(&cbb);
283 if (!CBB_init(&cbb, 0) || !ECDSA_SIG_marshal(&cbb, sig) ||
284 !CBB_finish(&cbb, out_bytes, out_len)) {
285 OPENSSL_PUT_ERROR(ECDSA, ECDSA_R_ENCODE_ERROR);
286 CBB_cleanup(&cbb);
287 return 0;
288 }
289 return 1;
290 }
291
292 // der_len_len returns the number of bytes needed to represent a length of |len|
293 // in DER.
der_len_len(size_t len)294 static size_t der_len_len(size_t len) {
295 if (len < 0x80) {
296 return 1;
297 }
298 size_t ret = 1;
299 while (len > 0) {
300 ret++;
301 len >>= 8;
302 }
303 return ret;
304 }
305
ECDSA_SIG_max_len(size_t order_len)306 size_t ECDSA_SIG_max_len(size_t order_len) {
307 // Compute the maximum length of an |order_len| byte integer. Defensively
308 // assume that the leading 0x00 is included.
309 size_t integer_len = 1 /* tag */ + der_len_len(order_len + 1) + 1 + order_len;
310 if (integer_len < order_len) {
311 return 0;
312 }
313 // An ECDSA signature is two INTEGERs.
314 size_t value_len = 2 * integer_len;
315 if (value_len < integer_len) {
316 return 0;
317 }
318 // Add the header.
319 size_t ret = 1 /* tag */ + der_len_len(value_len) + value_len;
320 if (ret < value_len) {
321 return 0;
322 }
323 return ret;
324 }
325
d2i_ECDSA_SIG(ECDSA_SIG ** out,const uint8_t ** inp,long len)326 ECDSA_SIG *d2i_ECDSA_SIG(ECDSA_SIG **out, const uint8_t **inp, long len) {
327 if (len < 0) {
328 return NULL;
329 }
330 CBS cbs;
331 CBS_init(&cbs, *inp, (size_t)len);
332 ECDSA_SIG *ret = ECDSA_SIG_parse(&cbs);
333 if (ret == NULL) {
334 return NULL;
335 }
336 if (out != NULL) {
337 ECDSA_SIG_free(*out);
338 *out = ret;
339 }
340 *inp = CBS_data(&cbs);
341 return ret;
342 }
343
i2d_ECDSA_SIG(const ECDSA_SIG * sig,uint8_t ** outp)344 int i2d_ECDSA_SIG(const ECDSA_SIG *sig, uint8_t **outp) {
345 CBB cbb;
346 if (!CBB_init(&cbb, 0) || !ECDSA_SIG_marshal(&cbb, sig)) {
347 CBB_cleanup(&cbb);
348 return -1;
349 }
350 return CBB_finish_i2d(&cbb, outp);
351 }
352