/*
- * Copyright 2002-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2002-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
#include <openssl/rand.h>
#include "crypto/bn.h"
#include "ec_local.h"
+#include "internal/deterministic_nonce.h"
+
+#define MIN_ECDSA_SIGN_ORDERBITS 64
+/*
+ * It is highly unlikely that a retry will happen,
+ * Multiple retries would indicate that something is wrong
+ * with the group parameters (which would normally only happen
+ * with a bad custom group).
+ */
+#define MAX_ECDSA_SIGN_RETRIES 8
+
+static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in,
+ BIGNUM **kinvp, BIGNUM **rp,
+ const unsigned char *dgst, int dlen,
+ unsigned int nonce_type, const char *digestname,
+ OSSL_LIB_CTX *libctx, const char *propq);
int ossl_ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp,
BIGNUM **rp)
*siglen = 0;
return 0;
}
- *siglen = i2d_ECDSA_SIG(s, &sig);
+ *siglen = i2d_ECDSA_SIG(s, sig != NULL ? &sig : NULL);
ECDSA_SIG_free(s);
return 1;
}
+int ossl_ecdsa_deterministic_sign(const unsigned char *dgst, int dlen,
+ unsigned char *sig, unsigned int *siglen,
+ EC_KEY *eckey, unsigned int nonce_type,
+ const char *digestname,
+ OSSL_LIB_CTX *libctx, const char *propq)
+{
+ ECDSA_SIG *s;
+ BIGNUM *kinv = NULL, *r = NULL;
+ int ret = 0;
+
+ *siglen = 0;
+ if (!ecdsa_sign_setup(eckey, NULL, &kinv, &r, dgst, dlen,
+ nonce_type, digestname, libctx, propq))
+ return 0;
+
+ s = ECDSA_do_sign_ex(dgst, dlen, kinv, r, eckey);
+ if (s == NULL)
+ goto end;
+
+ *siglen = i2d_ECDSA_SIG(s, sig != NULL ? &sig : NULL);
+ ECDSA_SIG_free(s);
+ ret = 1;
+end:
+ BN_clear_free(kinv);
+ BN_clear_free(r);
+ return ret;
+}
+
static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in,
BIGNUM **kinvp, BIGNUM **rp,
- const unsigned char *dgst, int dlen)
+ const unsigned char *dgst, int dlen,
+ unsigned int nonce_type, const char *digestname,
+ OSSL_LIB_CTX *libctx, const char *propq)
{
BN_CTX *ctx = NULL;
BIGNUM *k = NULL, *r = NULL, *X = NULL;
if ((ctx = ctx_in) == NULL) {
if ((ctx = BN_CTX_new_ex(eckey->libctx)) == NULL) {
- ERR_raise(ERR_LIB_EC, ERR_R_MALLOC_FAILURE);
+ ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
return 0;
}
}
r = BN_new(); /* this value is later returned in *rp */
X = BN_new();
if (k == NULL || r == NULL || X == NULL) {
- ERR_raise(ERR_LIB_EC, ERR_R_MALLOC_FAILURE);
+ ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
goto err;
}
if ((tmp_point = EC_POINT_new(group)) == NULL) {
/* Preallocate space */
order_bits = BN_num_bits(order);
- if (!BN_set_bit(k, order_bits)
+ /* Check the number of bits here so that an infinite loop is not possible */
+ if (order_bits < MIN_ECDSA_SIGN_ORDERBITS
+ || !BN_set_bit(k, order_bits)
|| !BN_set_bit(r, order_bits)
|| !BN_set_bit(X, order_bits))
goto err;
do {
- /* get random k */
+ /* get random or deterministic value of k */
do {
+ int res = 0;
+
if (dgst != NULL) {
- if (!BN_generate_dsa_nonce(k, order, priv_key,
- dgst, dlen, ctx)) {
- ERR_raise(ERR_LIB_EC, EC_R_RANDOM_NUMBER_GENERATION_FAILED);
- goto err;
+ if (nonce_type == 1) {
+#ifndef FIPS_MODULE
+ res = ossl_gen_deterministic_nonce_rfc6979(k, order,
+ priv_key,
+ dgst, dlen,
+ digestname,
+ libctx, propq);
+#endif
+ } else {
+ res = BN_generate_dsa_nonce(k, order, priv_key, dgst, dlen,
+ ctx);
}
} else {
- if (!BN_priv_rand_range_ex(k, order, 0, ctx)) {
- ERR_raise(ERR_LIB_EC, EC_R_RANDOM_NUMBER_GENERATION_FAILED);
- goto err;
- }
+ res = BN_priv_rand_range_ex(k, order, 0, ctx);
+ }
+ if (!res) {
+ ERR_raise(ERR_LIB_EC, EC_R_RANDOM_NUMBER_GENERATION_FAILED);
+ goto err;
}
} while (BN_is_zero(k));
int ossl_ecdsa_simple_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp,
BIGNUM **rp)
{
- return ecdsa_sign_setup(eckey, ctx_in, kinvp, rp, NULL, 0);
+ return ecdsa_sign_setup(eckey, ctx_in, kinvp, rp, NULL, 0,
+ 0, NULL, NULL, NULL);
}
ECDSA_SIG *ossl_ecdsa_simple_sign_sig(const unsigned char *dgst, int dgst_len,
EC_KEY *eckey)
{
int ok = 0, i;
+ int retries = 0;
BIGNUM *kinv = NULL, *s, *m = NULL;
const BIGNUM *order, *ckinv;
BN_CTX *ctx = NULL;
ret = ECDSA_SIG_new();
if (ret == NULL) {
- ERR_raise(ERR_LIB_EC, ERR_R_MALLOC_FAILURE);
+ ERR_raise(ERR_LIB_EC, ERR_R_ECDSA_LIB);
return NULL;
}
ret->r = BN_new();
ret->s = BN_new();
if (ret->r == NULL || ret->s == NULL) {
- ERR_raise(ERR_LIB_EC, ERR_R_MALLOC_FAILURE);
+ ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
goto err;
}
s = ret->s;
if ((ctx = BN_CTX_new_ex(eckey->libctx)) == NULL
|| (m = BN_new()) == NULL) {
- ERR_raise(ERR_LIB_EC, ERR_R_MALLOC_FAILURE);
+ ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
goto err;
}
}
do {
if (in_kinv == NULL || in_r == NULL) {
- if (!ecdsa_sign_setup(eckey, ctx, &kinv, &ret->r, dgst, dgst_len)) {
+ if (!ecdsa_sign_setup(eckey, ctx, &kinv, &ret->r, dgst, dgst_len,
+ 0, NULL, NULL, NULL)) {
ERR_raise(ERR_LIB_EC, ERR_R_ECDSA_LIB);
goto err;
}
} else {
ckinv = in_kinv;
if (BN_copy(ret->r, in_r) == NULL) {
- ERR_raise(ERR_LIB_EC, ERR_R_MALLOC_FAILURE);
+ ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
goto err;
}
}
ERR_raise(ERR_LIB_EC, EC_R_NEED_NEW_SETUP_VALUES);
goto err;
}
+ /* Avoid infinite loops cause by invalid group parameters */
+ if (retries++ > MAX_ECDSA_SIGN_RETRIES) {
+ ERR_raise(ERR_LIB_EC, EC_R_TOO_MANY_RETRIES);
+ goto err;
+ }
} else {
/* s != 0 => we have a valid signature */
break;
ctx = BN_CTX_new_ex(eckey->libctx);
if (ctx == NULL) {
- ERR_raise(ERR_LIB_EC, ERR_R_MALLOC_FAILURE);
+ ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
return -1;
}
BN_CTX_start(ctx);
}
if ((point = EC_POINT_new(group)) == NULL) {
- ERR_raise(ERR_LIB_EC, ERR_R_MALLOC_FAILURE);
+ ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB);
goto err;
}
if (!EC_POINT_mul(group, point, u1, pub_key, u2, ctx)) {