diff options
author | NIIBE Yutaka <gniibe@fsij.org> | 2019-10-22 13:29:13 +0900 |
---|---|---|
committer | NIIBE Yutaka <gniibe@fsij.org> | 2019-10-22 13:29:13 +0900 |
commit | 6a30a9a2cc48d2343c3e9815567dbd4bf9eec058 (patch) | |
tree | 250b84238bb801ec54148b181a7a825aab6b9d3e /cipher/ecc-ecdsa.c | |
parent | 975de38796917392e83152447c6575648a5a5ee3 (diff) | |
download | libgcrypt-6a30a9a2cc48d2343c3e9815567dbd4bf9eec058.tar.gz |
ecc: Simplify using mpi_ec_t directly.
* cipher/ecc-common.h (ECC_public_key, ECC_secret_key): Remove.
(_gcry_ecc_ecdsa_sign, _gcry_ecc_ecdsa_verify): Use mpi_ec_t.
(_gcry_ecc_eddsa_genkey, gcry_ecc_eddsa_sign): Likewise.
(_gcry_ecc_eddsa_verify): Likewise.
(_gcry_ecc_gost_sign, _gcry_ecc_gost_verify): Likewise.
* cipher/ecc-ecdsa.c (_gcry_ecc_ecdsa_sign): Use mpi_ec_t directly.
(_gcry_ecc_ecdsa_verify): Likewise.
* cipher/ecc-eddsa.c (_gcry_ecc_eddsa_genkey): Likewise.
(_gcry_ecc_eddsa_sign, _gcry_ecc_eddsa_verify): Likewise.
* cipher/ecc-gost.c (_gcry_ecc_gost_sign): Likewise.
(_gcry_ecc_gost_verify): Likewise.
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
Diffstat (limited to 'cipher/ecc-ecdsa.c')
-rw-r--r-- | cipher/ecc-ecdsa.c | 68 |
1 files changed, 29 insertions, 39 deletions
diff --git a/cipher/ecc-ecdsa.c b/cipher/ecc-ecdsa.c index 20e5cfb7..256f478b 100644 --- a/cipher/ecc-ecdsa.c +++ b/cipher/ecc-ecdsa.c @@ -38,7 +38,7 @@ * must have allocated R and S. */ gpg_err_code_t -_gcry_ecc_ecdsa_sign (gcry_mpi_t input, ECC_secret_key *skey, +_gcry_ecc_ecdsa_sign (gcry_mpi_t input, mpi_ec_t ec, gcry_mpi_t r, gcry_mpi_t s, int flags, int hashalgo) { @@ -49,14 +49,13 @@ _gcry_ecc_ecdsa_sign (gcry_mpi_t input, ECC_secret_key *skey, gcry_mpi_t hash; const void *abuf; unsigned int abits, qbits; - mpi_ec_t ctx; gcry_mpi_t b; /* Random number needed for blinding. */ gcry_mpi_t bi; /* multiplicative inverse of B. */ if (DBG_CIPHER) log_mpidump ("ecdsa sign hash ", input ); - qbits = mpi_get_nbits (skey->E.n); + qbits = mpi_get_nbits (ec->n); /* Convert the INPUT into an MPI if needed. */ rc = _gcry_dsa_normalize_hash (input, &hash, qbits); @@ -68,9 +67,9 @@ _gcry_ecc_ecdsa_sign (gcry_mpi_t input, ECC_secret_key *skey, do { _gcry_mpi_randomize (b, qbits, GCRY_WEAK_RANDOM); - mpi_mod (b, b, skey->E.n); + mpi_mod (b, b, ec->n); } - while (!mpi_invm (bi, b, skey->E.n)); + while (!mpi_invm (bi, b, ec->n)); k = NULL; dr = mpi_alloc (0); @@ -79,9 +78,6 @@ _gcry_ecc_ecdsa_sign (gcry_mpi_t input, ECC_secret_key *skey, x = mpi_alloc (0); point_init (&I); - ctx = _gcry_mpi_ec_p_internal_new (skey->E.model, skey->E.dialect, 0, - skey->E.p, skey->E.a, skey->E.b); - /* Two loops to avoid R or S are zero. This is more of a joke than a real demand because the probability of them being zero is less than any hardware failure. Some specs however require it. */ @@ -104,7 +100,7 @@ _gcry_ecc_ecdsa_sign (gcry_mpi_t input, ECC_secret_key *skey, } abuf = mpi_get_opaque (input, &abits); - rc = _gcry_dsa_gen_rfc6979_k (&k, skey->E.n, skey->d, + rc = _gcry_dsa_gen_rfc6979_k (&k, ec->n, ec->d, abuf, (abits+7)/8, hashalgo, extraloops); if (rc) @@ -112,31 +108,31 @@ _gcry_ecc_ecdsa_sign (gcry_mpi_t input, ECC_secret_key *skey, extraloops++; } else - k = _gcry_dsa_gen_k (skey->E.n, GCRY_STRONG_RANDOM); + k = _gcry_dsa_gen_k (ec->n, GCRY_STRONG_RANDOM); - _gcry_dsa_modify_k (k, skey->E.n, qbits); + _gcry_dsa_modify_k (k, ec->n, qbits); - _gcry_mpi_ec_mul_point (&I, k, &skey->E.G, ctx); - if (_gcry_mpi_ec_get_affine (x, NULL, &I, ctx)) + _gcry_mpi_ec_mul_point (&I, k, ec->G, ec); + if (_gcry_mpi_ec_get_affine (x, NULL, &I, ec)) { if (DBG_CIPHER) log_debug ("ecc sign: Failed to get affine coordinates\n"); rc = GPG_ERR_BAD_SIGNATURE; goto leave; } - mpi_mod (r, x, skey->E.n); /* r = x mod n */ + mpi_mod (r, x, ec->n); /* r = x mod n */ } while (!mpi_cmp_ui (r, 0)); /* Computation of dr, sum, and s are blinded with b. */ - mpi_mulm (dr, b, skey->d, skey->E.n); - mpi_mulm (dr, dr, r, skey->E.n); /* dr = d*r mod n */ - mpi_mulm (sum, b, hash, skey->E.n); - mpi_addm (sum, sum, dr, skey->E.n); /* sum = hash + (d*r) mod n */ - mpi_invm (k_1, k, skey->E.n); /* k_1 = k^(-1) mod n */ - mpi_mulm (s, k_1, sum, skey->E.n); /* s = k^(-1)*(hash+(d*r)) mod n */ + mpi_mulm (dr, b, ec->d, ec->n); + mpi_mulm (dr, dr, r, ec->n); /* dr = d*r mod n */ + mpi_mulm (sum, b, hash, ec->n); + mpi_addm (sum, sum, dr, ec->n); /* sum = hash + (d*r) mod n */ + mpi_invm (k_1, k, ec->n); /* k_1 = k^(-1) mod n */ + mpi_mulm (s, k_1, sum, ec->n); /* s = k^(-1)*(hash+(d*r)) mod n */ /* Undo blinding by b^-1 */ - mpi_mulm (s, bi, s, skey->E.n); + mpi_mulm (s, bi, s, ec->n); } while (!mpi_cmp_ui (s, 0)); @@ -149,7 +145,6 @@ _gcry_ecc_ecdsa_sign (gcry_mpi_t input, ECC_secret_key *skey, leave: mpi_free (b); mpi_free (bi); - _gcry_mpi_ec_free (ctx); point_free (&I); mpi_free (x); mpi_free (k_1); @@ -168,21 +163,20 @@ _gcry_ecc_ecdsa_sign (gcry_mpi_t input, ECC_secret_key *skey, * Check if R and S verifies INPUT. */ gpg_err_code_t -_gcry_ecc_ecdsa_verify (gcry_mpi_t input, ECC_public_key *pkey, +_gcry_ecc_ecdsa_verify (gcry_mpi_t input, mpi_ec_t ec, gcry_mpi_t r, gcry_mpi_t s) { gpg_err_code_t err = 0; gcry_mpi_t hash, h, h1, h2, x; mpi_point_struct Q, Q1, Q2; - mpi_ec_t ctx; unsigned int nbits; - if( !(mpi_cmp_ui (r, 0) > 0 && mpi_cmp (r, pkey->E.n) < 0) ) + if( !(mpi_cmp_ui (r, 0) > 0 && mpi_cmp (r, ec->n) < 0) ) return GPG_ERR_BAD_SIGNATURE; /* Assertion 0 < r < n failed. */ - if( !(mpi_cmp_ui (s, 0) > 0 && mpi_cmp (s, pkey->E.n) < 0) ) + if( !(mpi_cmp_ui (s, 0) > 0 && mpi_cmp (s, ec->n) < 0) ) return GPG_ERR_BAD_SIGNATURE; /* Assertion 0 < s < n failed. */ - nbits = mpi_get_nbits (pkey->E.n); + nbits = mpi_get_nbits (ec->n); err = _gcry_dsa_normalize_hash (input, &hash, nbits); if (err) return err; @@ -195,21 +189,18 @@ _gcry_ecc_ecdsa_verify (gcry_mpi_t input, ECC_public_key *pkey, point_init (&Q1); point_init (&Q2); - ctx = _gcry_mpi_ec_p_internal_new (pkey->E.model, pkey->E.dialect, 0, - pkey->E.p, pkey->E.a, pkey->E.b); - /* h = s^(-1) (mod n) */ - mpi_invm (h, s, pkey->E.n); + mpi_invm (h, s, ec->n); /* h1 = hash * s^(-1) (mod n) */ - mpi_mulm (h1, hash, h, pkey->E.n); + mpi_mulm (h1, hash, h, ec->n); /* Q1 = [ hash * s^(-1) ]G */ - _gcry_mpi_ec_mul_point (&Q1, h1, &pkey->E.G, ctx); + _gcry_mpi_ec_mul_point (&Q1, h1, ec->G, ec); /* h2 = r * s^(-1) (mod n) */ - mpi_mulm (h2, r, h, pkey->E.n); + mpi_mulm (h2, r, h, ec->n); /* Q2 = [ r * s^(-1) ]Q */ - _gcry_mpi_ec_mul_point (&Q2, h2, &pkey->Q, ctx); + _gcry_mpi_ec_mul_point (&Q2, h2, ec->Q, ec); /* Q = ([hash * s^(-1)]G) + ([r * s^(-1)]Q) */ - _gcry_mpi_ec_add_points (&Q, &Q1, &Q2, ctx); + _gcry_mpi_ec_add_points (&Q, &Q1, &Q2, ec); if (!mpi_cmp_ui (Q.z, 0)) { @@ -218,14 +209,14 @@ _gcry_ecc_ecdsa_verify (gcry_mpi_t input, ECC_public_key *pkey, err = GPG_ERR_BAD_SIGNATURE; goto leave; } - if (_gcry_mpi_ec_get_affine (x, NULL, &Q, ctx)) + if (_gcry_mpi_ec_get_affine (x, NULL, &Q, ec)) { if (DBG_CIPHER) log_debug ("ecc verify: Failed to get affine coordinates\n"); err = GPG_ERR_BAD_SIGNATURE; goto leave; } - mpi_mod (x, x, pkey->E.n); /* x = x mod E_n */ + mpi_mod (x, x, ec->n); /* x = x mod E_n */ if (mpi_cmp (x, r)) /* x != r */ { if (DBG_CIPHER) @@ -239,7 +230,6 @@ _gcry_ecc_ecdsa_verify (gcry_mpi_t input, ECC_public_key *pkey, } leave: - _gcry_mpi_ec_free (ctx); point_free (&Q2); point_free (&Q1); point_free (&Q); |