search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
dropbear 2016.73
[tomato.git] / release / src / router / dropbear / ecdsa.c
blob14558b6f9552d3887617b76217d3577337d4bfd4
1 #include "options.h"
2 #include "includes.h"
3 #include "dbutil.h"
4 #include "crypto_desc.h"
5 #include "ecc.h"
6 #include "ecdsa.h"
7 #include "signkey.h"
8
9 #ifdef DROPBEAR_ECDSA
10
11 int signkey_is_ecdsa(enum signkey_type type)
12 {
13 return type == DROPBEAR_SIGNKEY_ECDSA_NISTP256
14 || type == DROPBEAR_SIGNKEY_ECDSA_NISTP384
15 || type == DROPBEAR_SIGNKEY_ECDSA_NISTP521;
16 }
17
18 enum signkey_type ecdsa_signkey_type(ecc_key * key) {
19 #ifdef DROPBEAR_ECC_256
20 if (key->dp == ecc_curve_nistp256.dp) {
21 return DROPBEAR_SIGNKEY_ECDSA_NISTP256;
22 }
23 #endif
24 #ifdef DROPBEAR_ECC_384
25 if (key->dp == ecc_curve_nistp384.dp) {
26 return DROPBEAR_SIGNKEY_ECDSA_NISTP384;
27 }
28 #endif
29 #ifdef DROPBEAR_ECC_521
30 if (key->dp == ecc_curve_nistp521.dp) {
31 return DROPBEAR_SIGNKEY_ECDSA_NISTP521;
32 }
33 #endif
34 return DROPBEAR_SIGNKEY_NONE;
35 }
36
37 ecc_key *gen_ecdsa_priv_key(unsigned int bit_size) {
38 const ltc_ecc_set_type *dp = NULL; /* curve domain parameters */
39 ecc_key *new_key = NULL;
40 switch (bit_size) {
41 #ifdef DROPBEAR_ECC_256
42 case 256:
43 dp = ecc_curve_nistp256.dp;
44 break;
45 #endif
46 #ifdef DROPBEAR_ECC_384
47 case 384:
48 dp = ecc_curve_nistp384.dp;
49 break;
50 #endif
51 #ifdef DROPBEAR_ECC_521
52 case 521:
53 dp = ecc_curve_nistp521.dp;
54 break;
55 #endif
56 }
57 if (!dp) {
58 dropbear_exit("Key size %d isn't valid. Try "
59 #ifdef DROPBEAR_ECC_256
60 "256 "
61 #endif
62 #ifdef DROPBEAR_ECC_384
63 "384 "
64 #endif
65 #ifdef DROPBEAR_ECC_521
66 "521 "
67 #endif
68 , bit_size);
69 }
70
71 new_key = m_malloc(sizeof(*new_key));
72 if (ecc_make_key_ex(NULL, dropbear_ltc_prng, new_key, dp) != CRYPT_OK) {
73 dropbear_exit("ECC error");
74 }
75 return new_key;
76 }
77
78 ecc_key *buf_get_ecdsa_pub_key(buffer* buf) {
79 unsigned char *key_ident = NULL, *identifier = NULL;
80 unsigned int key_ident_len, identifier_len;
81 buffer *q_buf = NULL;
82 struct dropbear_ecc_curve **curve;
83 ecc_key *new_key = NULL;
84
85 /* string "ecdsa-sha2-[identifier]" */
86 key_ident = (unsigned char*)buf_getstring(buf, &key_ident_len);
87 /* string "[identifier]" */
88 identifier = (unsigned char*)buf_getstring(buf, &identifier_len);
89
90 if (key_ident_len != identifier_len + strlen("ecdsa-sha2-")) {
91 TRACE(("Bad identifier lengths"))
92 goto out;
93 }
94 if (memcmp(&key_ident[strlen("ecdsa-sha2-")], identifier, identifier_len) != 0) {
95 TRACE(("mismatching identifiers"))
96 goto out;
97 }
98
99 for (curve = dropbear_ecc_curves; *curve; curve++) {
100 if (memcmp(identifier, (char*)(*curve)->name, strlen((char*)(*curve)->name)) == 0) {
101 break;
102 }
103 }
104 if (!*curve) {
105 TRACE(("couldn't match ecc curve"))
106 goto out;
107 }
108
109 /* string Q */
110 q_buf = buf_getstringbuf(buf);
111 new_key = buf_get_ecc_raw_pubkey(q_buf, *curve);
112
113 out:
114 m_free(key_ident);
115 m_free(identifier);
116 if (q_buf) {
117 buf_free(q_buf);
118 q_buf = NULL;
119 }
120 TRACE(("leave buf_get_ecdsa_pub_key"))
121 return new_key;
122 }
123
124 ecc_key *buf_get_ecdsa_priv_key(buffer *buf) {
125 ecc_key *new_key = NULL;
126 TRACE(("enter buf_get_ecdsa_priv_key"))
127 new_key = buf_get_ecdsa_pub_key(buf);
128 if (!new_key) {
129 return NULL;
130 }
131
132 if (buf_getmpint(buf, new_key->k) != DROPBEAR_SUCCESS) {
133 ecc_free(new_key);
134 m_free(new_key);
135 return NULL;
136 }
137
138 return new_key;
139 }
140
141 void buf_put_ecdsa_pub_key(buffer *buf, ecc_key *key) {
142 struct dropbear_ecc_curve *curve = NULL;
143 char key_ident[30];
144
145 curve = curve_for_dp(key->dp);
146 snprintf(key_ident, sizeof(key_ident), "ecdsa-sha2-%s", curve->name);
147 buf_putstring(buf, key_ident, strlen(key_ident));
148 buf_putstring(buf, curve->name, strlen(curve->name));
149 buf_put_ecc_raw_pubkey_string(buf, key);
150 }
151
152 void buf_put_ecdsa_priv_key(buffer *buf, ecc_key *key) {
153 buf_put_ecdsa_pub_key(buf, key);
154 buf_putmpint(buf, key->k);
155 }
156
157 void buf_put_ecdsa_sign(buffer *buf, ecc_key *key, buffer *data_buf) {
158 /* Based on libtomcrypt's ecc_sign_hash but without the asn1 */
159 int err = DROPBEAR_FAILURE;
160 struct dropbear_ecc_curve *curve = NULL;
161 hash_state hs;
162 unsigned char hash[64];
163 void *e = NULL, *p = NULL, *s = NULL, *r;
164 char key_ident[30];
165 buffer *sigbuf = NULL;
166
167 TRACE(("buf_put_ecdsa_sign"))
168 curve = curve_for_dp(key->dp);
169
170 if (ltc_init_multi(&r, &s, &p, &e, NULL) != CRYPT_OK) {
171 goto out;
172 }
173
174 curve->hash_desc->init(&hs);
175 curve->hash_desc->process(&hs, data_buf->data, data_buf->len);
176 curve->hash_desc->done(&hs, hash);
177
178 if (ltc_mp.unsigned_read(e, hash, curve->hash_desc->hashsize) != CRYPT_OK) {
179 goto out;
180 }
181
182 if (ltc_mp.read_radix(p, (char *)key->dp->order, 16) != CRYPT_OK) {
183 goto out;
184 }
185
186 for (;;) {
187 ecc_key R_key; /* ephemeral key */
188 if (ecc_make_key_ex(NULL, dropbear_ltc_prng, &R_key, key->dp) != CRYPT_OK) {
189 goto out;
190 }
191 if (ltc_mp.mpdiv(R_key.pubkey.x, p, NULL, r) != CRYPT_OK) {
192 goto out;
193 }
194 if (ltc_mp.compare_d(r, 0) == LTC_MP_EQ) {
195 /* try again */
196 ecc_free(&R_key);
197 continue;
198 }
199 /* k = 1/k */
200 if (ltc_mp.invmod(R_key.k, p, R_key.k) != CRYPT_OK) {
201 goto out;
202 }
203 /* s = xr */
204 if (ltc_mp.mulmod(key->k, r, p, s) != CRYPT_OK) {
205 goto out;
206 }
207 /* s = e + xr */
208 if (ltc_mp.add(e, s, s) != CRYPT_OK) {
209 goto out;
210 }
211 if (ltc_mp.mpdiv(s, p, NULL, s) != CRYPT_OK) {
212 goto out;
213 }
214 /* s = (e + xr)/k */
215 if (ltc_mp.mulmod(s, R_key.k, p, s) != CRYPT_OK) {
216 goto out;
217 }
218 ecc_free(&R_key);
219
220 if (ltc_mp.compare_d(s, 0) != LTC_MP_EQ) {
221 break;
222 }
223 }
224
225 snprintf(key_ident, sizeof(key_ident), "ecdsa-sha2-%s", curve->name);
226 buf_putstring(buf, key_ident, strlen(key_ident));
227 /* enough for nistp521 */
228 sigbuf = buf_new(200);
229 buf_putmpint(sigbuf, (mp_int*)r);
230 buf_putmpint(sigbuf, (mp_int*)s);
231 buf_putbufstring(buf, sigbuf);
232
233 err = DROPBEAR_SUCCESS;
234
235 out:
236 if (r && s && p && e) {
237 ltc_deinit_multi(r, s, p, e, NULL);
238 }
239
240 if (sigbuf) {
241 buf_free(sigbuf);
242 }
243
244 if (err == DROPBEAR_FAILURE) {
245 dropbear_exit("ECC error");
246 }
247 }
248
249 /* returns values in s and r
250 returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE */
251 static int buf_get_ecdsa_verify_params(buffer *buf,
252 void *r, void* s) {
253 int ret = DROPBEAR_FAILURE;
254 unsigned int sig_len;
255 unsigned int sig_pos;
256
257 sig_len = buf_getint(buf);
258 sig_pos = buf->pos;
259 if (buf_getmpint(buf, r) != DROPBEAR_SUCCESS) {
260 goto out;
261 }
262 if (buf_getmpint(buf, s) != DROPBEAR_SUCCESS) {
263 goto out;
264 }
265 if (buf->pos - sig_pos != sig_len) {
266 goto out;
267 }
268 ret = DROPBEAR_SUCCESS;
269
270 out:
271 return ret;
272 }
273
274
275 int buf_ecdsa_verify(buffer *buf, ecc_key *key, buffer *data_buf) {
276 /* Based on libtomcrypt's ecc_verify_hash but without the asn1 */
277 int ret = DROPBEAR_FAILURE;
278 hash_state hs;
279 struct dropbear_ecc_curve *curve = NULL;
280 unsigned char hash[64];
281 ecc_point *mG = NULL, *mQ = NULL;
282 void *r = NULL, *s = NULL, *v = NULL, *w = NULL, *u1 = NULL, *u2 = NULL,
283 *e = NULL, *p = NULL, *m = NULL;
284 void *mp = NULL;
285
286 /* verify
287 *
288 * w = s^-1 mod n
289 * u1 = xw
290 * u2 = rw
291 * X = u1*G + u2*Q
292 * v = X_x1 mod n
293 * accept if v == r
294 */
295
296 TRACE(("buf_ecdsa_verify"))
297 curve = curve_for_dp(key->dp);
298
299 mG = ltc_ecc_new_point();
300 mQ = ltc_ecc_new_point();
301 if (ltc_init_multi(&r, &s, &v, &w, &u1, &u2, &p, &e, &m, NULL) != CRYPT_OK
302 || !mG
303 || !mQ) {
304 dropbear_exit("ECC error");
305 }
306
307 if (buf_get_ecdsa_verify_params(buf, r, s) != DROPBEAR_SUCCESS) {
308 goto out;
309 }
310
311 curve->hash_desc->init(&hs);
312 curve->hash_desc->process(&hs, data_buf->data, data_buf->len);
313 curve->hash_desc->done(&hs, hash);
314
315 if (ltc_mp.unsigned_read(e, hash, curve->hash_desc->hashsize) != CRYPT_OK) {
316 goto out;
317 }
318
319 /* get the order */
320 if (ltc_mp.read_radix(p, (char *)key->dp->order, 16) != CRYPT_OK) {
321 goto out;
322 }
323
324 /* get the modulus */
325 if (ltc_mp.read_radix(m, (char *)key->dp->prime, 16) != CRYPT_OK) {
326 goto out;
327 }
328
329 /* check for zero */
330 if (ltc_mp.compare_d(r, 0) == LTC_MP_EQ
331 || ltc_mp.compare_d(s, 0) == LTC_MP_EQ
332 || ltc_mp.compare(r, p) != LTC_MP_LT
333 || ltc_mp.compare(s, p) != LTC_MP_LT) {
334 goto out;
335 }
336
337 /* w = s^-1 mod n */
338 if (ltc_mp.invmod(s, p, w) != CRYPT_OK) {
339 goto out;
340 }
341
342 /* u1 = ew */
343 if (ltc_mp.mulmod(e, w, p, u1) != CRYPT_OK) {
344 goto out;
345 }
346
347 /* u2 = rw */
348 if (ltc_mp.mulmod(r, w, p, u2) != CRYPT_OK) {
349 goto out;
350 }
351
352 /* find mG and mQ */
353 if (ltc_mp.read_radix(mG->x, (char *)key->dp->Gx, 16) != CRYPT_OK) {
354 goto out;
355 }
356 if (ltc_mp.read_radix(mG->y, (char *)key->dp->Gy, 16) != CRYPT_OK) {
357 goto out;
358 }
359 if (ltc_mp.set_int(mG->z, 1) != CRYPT_OK) {
360 goto out;
361 }
362
363 if (ltc_mp.copy(key->pubkey.x, mQ->x) != CRYPT_OK
364 || ltc_mp.copy(key->pubkey.y, mQ->y) != CRYPT_OK
365 || ltc_mp.copy(key->pubkey.z, mQ->z) != CRYPT_OK) {
366 goto out;
367 }
368
369 /* compute u1*mG + u2*mQ = mG */
370 if (ltc_mp.ecc_mul2add == NULL) {
371 if (ltc_mp.ecc_ptmul(u1, mG, mG, m, 0) != CRYPT_OK) {
372 goto out;
373 }
374 if (ltc_mp.ecc_ptmul(u2, mQ, mQ, m, 0) != CRYPT_OK) {
375 goto out;
376 }
377
378 /* find the montgomery mp */
379 if (ltc_mp.montgomery_setup(m, &mp) != CRYPT_OK) {
380 goto out;
381 }
382
383 /* add them */
384 if (ltc_mp.ecc_ptadd(mQ, mG, mG, m, mp) != CRYPT_OK) {
385 goto out;
386 }
387
388 /* reduce */
389 if (ltc_mp.ecc_map(mG, m, mp) != CRYPT_OK) {
390 goto out;
391 }
392 } else {
393 /* use Shamir's trick to compute u1*mG + u2*mQ using half of the doubles */
394 if (ltc_mp.ecc_mul2add(mG, u1, mQ, u2, mG, m) != CRYPT_OK) {
395 goto out;
396 }
397 }
398
399 /* v = X_x1 mod n */
400 if (ltc_mp.mpdiv(mG->x, p, NULL, v) != CRYPT_OK) {
401 goto out;
402 }
403
404 /* does v == r */
405 if (ltc_mp.compare(v, r) == LTC_MP_EQ) {
406 ret = DROPBEAR_SUCCESS;
407 }
408
409 out:
410 ltc_ecc_del_point(mG);
411 ltc_ecc_del_point(mQ);
412 ltc_deinit_multi(r, s, v, w, u1, u2, p, e, m, NULL);
413 if (mp != NULL) {
414 ltc_mp.montgomery_deinit(mp);
415 }
416 return ret;
417 }
418
419
420
421 #endif /* DROPBEAR_ECDSA */
Tomato firmware and modifications.